Technical summary: This rule detects inbound messages that carry SVG attachments containing clickable hyperlinks and CSS pointer cursor styling, a pattern commonly used in image-based credential phishing. Trigger conditions: a message with an attachment whose file extension is svg, content_type is image/svg+xml, or file_type equals svg. The rule then expands the attachment contents and searches for embedded XML/HTML markup by confirming the presence of an anchor tag (<a>). If such an anchor is found, it parses the attachment text (ASCII or UTF-8) and checks for a cursor attribute or style indicating a clickable image by matching the pattern cursor="pointer" or cursor='pointer'. When all conditions are met, the detection flags a potential phishing payload. Detected as medium severity, with attack_type Credential Phishing, and techniques including Evasion and Image as content. Detection methods used include File analysis, XML analysis, and Content analysis. This rule applies to inbound messages and leverages file-level analysis rather than network flows. Potential limitations include misses for SVGs using cursor styling other than a direct cursor attribute (e.g., style="cursor: pointer" or CSS variations), reliance on anchor tags for links, and possible false positives on legitimate SVGs with links.