This detection rule identifies instances where incoming emails have a sender's domain that closely resembles a known domain of the organization, thus considered a potential threat. The rule operates under the premise that email domains can be manipulated to look like legitimate domains, commonly in business email compromise (BEC) or phishing attacks. It checks for cases where the sender's domain is similar to organization domains using the Levenshtein distance function, which measures the difference between two strings. If the sender's domain is a one-character variation of any organization domain and is not on the organization's approved or trusted senders list, the rule triggers an alert. The rule also factors in sender reputation by looking for new or outlier senders who have not solicited communication, or those whose messages have been flagged as malicious or spam. It includes an additional check to ignore highly trusted domains unless they fail DMARC authentication to minimize false positives. Overall, the rule leverages sender analysis and sophisticated string matching techniques to improve threat detection effectiveness against lookalike domain attacks.