This detection rule is designed to identify impersonation attacks being carried out via Microsoft Teams messages. It specifically checks for messages that attempt to mimic official communications, potentially luring users into a phishing trap. The primary indicators include analyzing the content and attachments of incoming messages, with a focus on certain file types such as images and PDFs. The rule verifies that fewer than 10 attachments are present, and that at least one attachment matches criteria indicating potential impersonation, particularly those containing text suggesting urgency or directive to 'reach out' related to Microsoft Teams activities. Furthermore, the sender's email domain is compared against a whitelist of legitimate Microsoft domains to ensure that the message is not coming from a recognized source, enhancing the reliability of the detection.