This detection rule targets potential phishing attempts that exploit a spoofable internal domain by examining email characteristics for suspicious signals. The rule highlights that the sender might belong to an organization known to the recipient but does not use a matching display name—a condition that raises red flags. The rule further flags if the SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) verdicts are marked as 'none,' indicating that the domain is spoofable. The analysis extends to checking the email body and headers for various signals, including unexpected links, mismatched domains, and suspicious language indicating social engineering attempts. Additionally, the rule sets the stage for false positives due to automated email systems, suggesting that further refinements may be needed to tune detection for such scenarios.