This rule is designed to detect credential phishing through email communications that utilize Russian top-level domains (TLDs) such as '.ru' and '.su'. It employs an aggressive analysis of email links, looking for key indicators of phishing, which include common suspicious keywords, the presence of login prompts, or links previously identified as associated with credential theft. The rule ensures that emails from well-established trusted domains are excluded from detection unless they fail DMARC authentication checks. This precaution helps avoid false positives from reliable senders. The detection mechanism relies on several methods including content analysis of the email body, header checks, application of Natural Language Understanding (NLU) to discern intent, and an in-depth analysis of URLs present within the email. The rule's parameters require that emails contain a limited number of links to focus on potential phishing threats while avoiding overload from spam or irrelevant messages. Furthermore, the rule assesses the trustworthiness of the sender based on prior interactions and highlights messages that disrupt typical solicitation patterns. Overall, this rule presents a critical defense against the rising threat of credential phishing that exploits specific regional infrastructure.