This rule detects a potential impersonation attack via email whereby the sender's display name includes the recipient's organization domain, which can mislead the recipient into thinking the sender is affiliated with them. The rule triggers when specific conditions are met, including: the presence of only one image attachment that contains language indicative of credential theft related to the recipient's domain, and the absence of body text in the email. It analyzes the attachment using Optical Character Recognition (OCR) to extract and assess textual content for signs of credential theft, employing natural language understanding to evaluate intentions with high confidence. This rule focuses on defending against credential phishing attacks that leverage social engineering through email impersonation, making use of advanced content analysis and computer vision techniques. As the use of images as a form of content is becoming increasingly prevalent in phishing attacks, this rule reflects a growing need for robust detection mechanisms.