This detection rule identifies potentially malicious emails by analyzing the sender's display name for the presence of an Active Directory distinguished name or similar strings indicative of impersonation. Attackers often spoof email addresses using formats that resemble legitimate Active Directory entries to evade detection and phish credentials. The rule triggers when the sender's display name includes specific identifiers (like 'EX', 'LABS', 'OU', or 'CN') commonly found in distinguished names, or a known string from the Exchange Labs organization. Furthermore, it checks that the sender's email domain is not listed among known organizational domains, enhancing the rule's effectiveness by reducing false positives. If the email domain belongs to a specific trusted domain such as 'fnfcorp.com', the rule also verifies that DMARC authentication passed, ensuring the email's legitimacy. This multi-faceted approach aids in detecting and mitigating credential phishing attempts that utilize legit-looking sender details to deceive recipients.