The detection rule identifies potential credential phishing attempts through links sent via email, specifically links to Figma design decks. It focuses on messages containing exactly one link to a Figma deck ('figma.com/deck') and verifies whether this link has attributes associated with credential theft using Natural Language Understanding (NLU). Key factors include the sender's profile: if the sender is new, has a history of malicious activity, or hasn't communicated in over 30 days without benign interactions. The rule leverages multiple detection methods, including URL analysis and optical character recognition, to analyze the content embedded in links and images. If the detected intent carries a medium to high confidence level of credential theft, and the sender profile indicates malicious behavior, alerts are triggered. The severity of this rule is classified as medium due to the potential risk of compromised credentials and the common target of such phishing attacks.