This detection rule monitors for potentially malicious messages originating from the domain 'myactivecampaign.com'. The rule specifically flags messages that contain a limited number of links (between 1 and 9) and includes suspicious language that suggests a high intent of credential theft. It utilizes natural language processing to analyze the text of the message for specific indicators of phishing attempts, particularly those related to social engineering tactics. Furthermore, it checks that at least one of the links does not point to the trusted domain 'activehosted.com', enhancing the likelihood of identifying phishing attempts that leverage deceptive linkages. The rule is categorized as having a medium severity level due to the potential risks involved in credential phishing attacks, which can lead to unauthorized access and data breaches.