diff --git a/detection-rules/impersonate_org_domain_fail_auth.yml b/detection-rules/impersonate_org_domain_fail_auth.yml
new file mode 100644
index 00000000000..d9ab5b0ed70
--- /dev/null
+++ b/detection-rules/impersonate_org_domain_fail_auth.yml
@@ -0,0 +1,47 @@
+name: "Brand impersonation: Organizational domain with authentication failure and no-reply sender"
+description: "Detects messages from senders using organizational domains that fail DMARC authentication, originate from no-reply addresses, and contain credential theft language in the body text or message screenshot."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // sender domain in $org_domains and fails auth
+  and (
+    sender.email.domain.domain in $org_domains
+    and not headers.auth_summary.dmarc.pass
+  )
+  // from a "no reply" sender
+  and regex.icontains(sender.email.local_part,
+                      'noreply|no-reply|donotreply|do-not-reply'
+  )
+  and (
+    // message contains links that don't direct to org domains
+    length(body.links) > 0
+    and not any(body.links, .href_url.domain.domain in $org_domains)
+  )
+  // cred theft intent but exclude legitimate business contexts
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence == "high"
+    )
+    or (
+      length(body.current_thread.text) == 0
+      and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
+              .name == "cred_theft" and .confidence == "high"
+      )
+    )
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name == "File Sharing and Cloud Services" and .confidence == "high"
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Spoofing"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "58ca900b-df16-5125-a5de-e64a7a1bfda3"