This detection rule identifies messages that contain URL shorteners along with instructions for copying and pasting, which are commonly associated with credential theft scams. The rule is designed to combat evasion techniques where attackers use short URLs requiring users to manually enter the link into their browsers, thus bypassing automated security controls that analyze URLs. The logic of the rule encompasses several key checks: it verifies if the message's content includes links from known URL shorteners, checks for the presence of specific phrases related to copying and pasting, and assesses the intent of the message using a natural language understanding (NLU) classifier to detect high-confidence credential theft intents. The rule also filters out scenarios where the sender of the message is the same as the recipient or where there are no valid recipients, which helps in focusing on potentially malicious messages. The approach combines content analysis, NLU, and URL analysis to strengthen its detection capabilities against phishing attempts targeting user credentials.