This detection rule is designed to identify potential impersonation attempts specifically targeting users of the social media platform X (formerly Twitter) when the attempt involves credential phishing motives. It operates by analyzing emails for the display name or the sender's local part containing only the letter 'X' while ensuring that the email doesn't come from the legitimate domains of twitter.com or x.com. The rule utilizes Natural Language Understanding (NLU) to detect intent related to credential theft, requiring a medium-to-high confidence level for a successful flagging. Additionally, it takes into account the presence of attachments indicating phishing attempts, such as images or texts that display specific intent markers for credential theft. The sender's profile is evaluated for being new or an outlier that might have a history of malicious or spam messages without prior false positives. The rule further incorporates conditions to negate highly trusted sender domains unless they fail DMARC authentication; special attention is given to the domain salesforce.com, which has been historically abused for phishing campaigns related to X (Twitter). Overall, this rule is a sophisticated combination of various detection methods, including computer vision and header analysis, to mitigate the risks associated with impersonation and phishing attacks.