This rule is designed to detect phishing emails that impersonate the Human Resources (HR) department and contain either links or attachments, using engaging language from a sender not recognized as part of the organization’s trusted domains. The rule leverages various detection methods such as content and header analysis, along with Natural Language Understanding (NLU) to identify suspicious emails that may lure employees into sharing sensitive information. It includes mechanisms to filter out legitimate marketing communications and identifies potential social engineering attacks by analyzing the sender's communication style and specific keywords associated with HR. The core detection logic checks for untrusted email domains, the presence of engaging content, attachments, or links, and ensures that these indicators do not match common benign or marketing phrases that could trigger false positives. Furthermore, advanced checks are performed on the email's metadata to distinguish between maliciously crafted messages and normal correspondence. The overall intention is to mitigate risks related to Business Email Compromise (BEC) and credential phishing attempts targeting employees.