This rule detects inbound (initial-contact) emails that appear to be a first-time outreach and are crafted to impersonate an employee. It targets messages where the sender uses a display name that does not match the actual email local-part, includes a basic greeting referencing the subject line, and ends the body with the sender's display name. The detection enforces a short initial contact (no replies in the thread, length of body < 500 characters, and no attachments) to identify early-stage social engineering attempts typically used in BR/Business Email Compromise (BEC) scenarios. It uses content analysis to examine the greeting and body structure, and sender analysis to compare display name and email local-part. The rule is labeled under BEC/Fraud with tactics of Impersonation: Employee and Social engineering, and detection methods include Content analysis and Sender analysis. Implementation considerations include potential false positives in legitimate aliasing or names that naturally align with local-parts, and should be complemented with other email security controls (SPF/DKIM/DMARC) and user education.