This rule identifies potential credential phishing attempts that utilize hyper-linked images in messages received from untrusted sources. It specifically detects messages that have either very short text bodies or no text at all, where all attachments are images meeting specific criteria (e.g., size and file type). The rule checks if the hyperlinked images direct users to known free file hosting domains. Furthermore, it incorporates sender analysis, checking against a list of high-trust sender domains and their DMARC authentication results, to minimize false positives. It also negates emails flagged as solicited or those previously recognized as spam, enhancing the accuracy of the detection process. The purpose of this rule is to safeguard users from falling victim to phishing schemes that employ deceptive tactics using seemingly harmless images.