Detects inbound messages from senders with local-part 'support' that contain a small number of links (more than one, up to five) where every link points to free file hosting services. The message body is assessed with natural language understanding (NLU) signals indicating credential theft intent related to file sharing or cloud services. The rule requires the links to be exclusively to known free file hosts (no PDFs/docs present as countable links), and it flags credential-phishing activity when the NLU classifier returns a non-low confidence for the intents 'cred_theft' and the topic 'File Sharing and Cloud Services'. It excludes highly trusted sender domains only if DMARC authentication passes; otherwise, the rule fires. The overall detection type is Credential Phishing, leveraging sender analysis, URL/domain analysis, and NLU signals to identify social-engineering attempts involving free file-hosting services to steal credentials.