diff --git a/detection-rules/impersonation_sender_local_part_org_sld.yml b/detection-rules/impersonation_sender_local_part_org_sld.yml
new file mode 100644
index 00000000000..3164b7e2678
--- /dev/null
+++ b/detection-rules/impersonation_sender_local_part_org_sld.yml
@@ -0,0 +1,42 @@
+name: "Organization Domain Impersonation From New Sender"
+description: "Detects when an external sender uses the organization's domain as part of the sender's email address while sending links or attachments. The sender must be new or unusual, and either lacks prior reputation or has been previously flagged without false positives."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  // contains a link or attachment
+  and (length(attachments) > 0 or length(body.links) > 0)
+  // has a recipient in the To field
+  and length(recipients.to) > 0
+  // all the recipients are witihn the $org_domains
+  and all(recipients.to, .email.domain.domain in $org_domains)
+  // sender is not within the org_domain
+  and sender.email.domain.root_domain not in $org_domains
+  // the local part of the sender contains an SLD of the org
+  and any($org_slds,
+          // length check avoids FPs on short SLDs
+          length(.) > 3 and strings.icontains(sender.email.local_part, .)
+  )
+
+  and (
+    // the sender prevalence is new / outlier
+    profile.by_sender().prevalence in ("new", "outlier")
+    // or it's been flagged malicious/spam with now FPs
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+id: "3c9c25ed-69cc-5764-b6bc-7e2aecb8fdb8"
+testing_pr: 2194
+testing_sha: 4878c84ade2d393c30e40ddff17c1a9ffb0ae8df