This rule detects inbound messages that reference Nylas tracking subdomains by analyzing both the URL structure and the message display text, combined with a natural language understanding (NLU) signal indicating credential theft. Specifically, it checks for messages where a link’s domain second-level domain (sld) is nylas and the subdomain contains tracking, and where the link has non-null display_text. It then runs an NLU classifier on the thread text and requires an intent named cred_theft with a confidence that is not low. If both URL/content signals are present, the rule triggers. The rule targets abuse of the email tracking service for credential phishing (BEC/Fraud) and social engineering (Evasion). It uses content analysis, URL/domain analysis, and NLU to identify suspicious activity. Severity is medium, reflecting detection of potential credential harvesting attempts without guaranteeing malicious intent. Analysts should review flagged messages for legitimacy, as legitimate communications referencing nylas tracking could produce false positives in certain environments.