The rule 'Xero Infrastructure Abuse' aims to identify emails that exhibit characteristics of potential credential theft originating from the Xero service. It employs a combination of heuristics including analysis of message content, headers, and links present within the body content. This detection mechanism is crucial as phishing attacks are increasingly targeting services like Xero, which are widely used for business operations. The rule specifically examines the sender's email against known domains associated with Xero, and it looks for external links that do not belong to the organization's domains. Furthermore, it utilizes machine learning-based natural language processing to classify intents and variations of suspicious subject lines commonly associated with phishing attempts. The inclusion of sophisticated checks such as tracking newly registered domains indicates a robust approach towards threat detection.