This detection rule targets inbound messages containing small text file attachments that may carry phishing links. The rule checks for attachments that are less than 1000 bytes in size and of the content types 'text/plain' or 'text'. Importantly, it excludes calendar invites by checking for specific file extensions and content types associated with calendar data. Additionally, the rule looks for any URLs within the attachment that match the email addresses of the recipients, while ensuring the email domain is valid. The detection will also consider the sender's profile, specifically checking for unsolicited messages or identifying whether the sender has a history of malicious or spam activity without any false positives. Therefore, this rule is aimed at preventing credential phishing attempts that utilize seemingly benign text file attachments to solicit sensitive information from users.