This detection rule targets brand impersonation attacks specifically associated with Microsoft. Such attacks typically employ social engineering tactics to deceive users into providing sensitive information, primarily through phishing emails that appear to be from credible Microsoft sources. The rule checks various conditions in incoming email messages to identify potential phishing attempts. It looks at the subject line and body of the email for phrases commonly associated with brand impersonation, such as mentions of Microsoft 365 and the notion that an account or service is expired. Additional checks ensure that emails do not originate from verified Microsoft domains and are not part of legitimate Office 365 bouncebacks. The use of sender analysis and content analysis is critical in identifying whether a sender is malicious or spammy, especially if they have a low reputation or belong to unusual categories.