This detection rule identifies potential attempts of Business Email Compromise (BEC) targeting employees by impersonating a high-ranking individual within the organization, typically referred to as a VIP. The primary focus is on emails requesting W-2 tax forms, which are sensitive documents containing employee wage data that can be exploited by malicious actors. The rule employs several key checks to flag suspicious messages: it begins with verifying whether the sender's display name matches any of the organization's designated VIPs and ensures that the email originates from outside the organization's trusted domains or has failed DMARC authentication. Additionally, it looks for explicit mentions of 'W-2' in both the email subject and body to confirm that the request focuses on this form. Another critical aspect of the detection involves analyzing the reply-to address, where if the reply-to address differs from the sender's email, it raises a flag. Lastly, the rule has built-in mechanisms to disregard emails from recognized high-trust domains unless they have failed DMARC validation, minimizing false positives while enhancing detection efficacy.