This detection rule identifies potential brand impersonation attacks through fraudulent fax messages. It specifically targets emails claiming to deliver fax notifications from senders that are not recognized legitimate fax service providers. The rule inspects various components of an incoming email—such as headers, subject lines, the body of the email, and any attachments—to establish whether they contain indicators typical of phishing attempts related to fax communications. The rule flags messages containing fax-related phrases and looks for high-confidence terms commonly associated with fax notifications while ensuring that the sender's domain does not belong to well-known and verified fax services. It employs advanced detection techniques, including regex and strings search functions, to analyze the content for common phrases associated with both legitimate and fraudulent fax communication.