This detection rule identifies potential phishing attempts by monitoring messages from authenticated Google domains that contain links to the g.co URL shortener, particularly when these links include subdomains. The primary goal is to flag any messages that could be attempting to impersonate legitimate Google services, especially in the context of credential phishing attacks. The detection works by checking that the sender's domain ends in .google and that the email's SPF authentication passes. It employs content and header analysis techniques to scrutinize the body of the email as well as the thread text to detect the presence of g.co URLs with subdomains. Additionally, the rule also checks for potential evasion tactics that attackers might use by looking for the specific patterns associated with g.co links, thus ensuring the detection is robust against simple manipulation of the URL format. The rule, therefore, acts as a crucial checkpoint in protecting users from malicious links that may lead to phishing sites.