This detection rule aims to identify instances of impersonation attacks targeting Wise Financial, an online banking service. The rule employs multiple criteria to assess whether the content of an email fits the profile of a phishing attempt disguised as communication from Wise. It first checks if the sender's display name or email domain contains references to "wise" in various forms, indicating a potential brand impersonation. Additionally, the rule utilizes natural language processing to analyze the body of the message for keywords or intents often associated with fraudulent activities, specifically those related to financial transactions, credential theft, or attempts to steal personally identifiable information (PII). The analysis includes scrutiny of any attachments present, looking for common file types that could carry malicious content, such as executable files or compressed archives. Furthermore, any hyperlinks in the email are examined against a predefined list of suspicious phrases that commonly appear in phishing attempts targeting users' financial accounts. The rule also ensures that the sender's domain is not from a verified Wise domain or other trusted counterparts, enhancing its detection capabilities by limiting false positives. If the sender’s domain fails DMARC authentication checks, this could increase the urgency of the alert. Overall, this rule presents a thorough approach to detecting sophisticated phishing techniques that exploit brand trust, specifically targeting Wise Financial customers.