This detection rule identifies potential email impersonation attacks where a sender uses the recipient's domain in their display name to deceive the recipient into believing they are a legitimate member of the recipient's organization. The rule checks for specific conditions which include: the presence of only one recipient, the sender's email domain not being from free email providers, and checks if the sender's display name contains the recipient's domain. It excludes certain trusted domains from false positives unless they fail DMARC authentication checks. Additionally, the sender's profile is analyzed for indicators of malicious behavior or lack of false positives to ensure that new or outlier senders are scrutinized. The severity level of this rule is marked as medium due to the potential impact of credential phishing attempts.