This rule detects inbound messages that contain embedded links and exhibit a distinctive HTML/CSS fingerprint associated with phishing templates. It requires an inbound message context, with non-empty body.links, and HTML content (body.html.raw) that matches the specific CSS fingerprint: background-color: rgb(41, 88, 140) (with flexible whitespace), border-bottom: 10px solid rgb(41, 88, 140), and padding: 1.6em. The intent is to identify credential phishing attempts that rely on a consistent visual template to lure users into clicking malicious links. When matched, it raises a detection with medium severity and maps to Credential Phishing. Tactics and techniques include Evasion (styling tricks to avoid generic detectors) and Social engineering (lure via legitimate-looking templates). Detection methods utilized are HTML analysis, Content analysis, and URL analysis to validate the presence and safety of links. This rule relies on content data from inbound messages (HTML body and link list) and may be evaded by altering the fingerprint (e.g., color, padding) or by removing or obfuscating links. False positives may occur if legitimate notifications reuse the same styling. Operators may consider augmenting with URL reputation, domain checks, and cross-referencing against known legitimate templates to reduce false positives. This rule is suitable for endpoint messaging monitoring or email/webmail gateways that inspect inbound content.