This detection rule identifies domain impersonation attacks utilizing free email services, where attackers craft reply-to email addresses that closely resemble legitimate ones. By modifying the local part of the reply-to address to match the target domain, such as mimicking a corporate email suffix, the email appears trustworthy to recipients. The detection criteria scrutinize inbound emails for discrepancies between the sender's domain and the domain used in the reply-to address, alongside conditions that check for the presence of financial-related keywords and intents, indicating a social engineering effort aimed at credential phishing. The rule assesses header information and employs natural language understanding to parse the body of the email for contextual clues about intent and potential urgency. This multi-faceted approach enables the detection of not only straightforward impersonation attempts but also those embedded within fraudulent financial requests, enhancing the security posture against sophisticated phishing tactics.