This detection rule aims to identify potential service abuse involving the use of free email provider domains routed via SendGrid infrastructure. Service abuse can occur when an attacker exploits legitimate email routing services to conceal the true origin of their emails, often bypassing spam filters and enhance delivery rates. The rule checks if emails originating from free email providers make use of SendGrid's domains while also evaluating the message content to exclude benign communications and bounce-back notifications that may be legitimate. Specifically, the filtering logic utilizes sender email domain analysis in conjunction with header inspection of the email's routing domains, supplemented with natural language understanding classifiers to ascertain the intentions behind the email content. Therefore, this rule is integral in monitoring and mitigating risks associated with credential phishing attempts that leverage common free email services, thus assisting in protecting the organization’s email communication integrity.