Detects emails/messages impersonating LastPass. The rule activates on inbound messages that contain at least one link and where the sender display name or domain is obfuscated to resemble LastPass. It flags content that mentions maintenance, backups, master passwords, or vault exports, or includes the real LastPass support address, or links that point to AWS S3 resources. It also evaluates URLs for email parameters (e.g., email=...) that match recipients. Additionally, it applies NLP/ML signals to surface topics like Security and Authentication or Reminders/Notifications with non-low confidence. Newsletters are excluded, and legitimate LastPass communications are filtered out when the sender’s domain is LastPass and DMARC passes. The rule also considers invalid sender addresses as suspicious. Overall, it targets credential phishing via brand impersonation and social engineering in inbound messages.