This detection rule targets email messages that are sent from domains with commonly abused top-level domains (TLDs), specifically those ending with '.jp'. The rule is designed to flag messages that exhibit various suspicious characteristics suggestive of credential phishing attempts. It employs Natural Language Understanding (NLU) to analyze the text within email threads, looking for enticing language that indicates urgent or financial requests. Additionally, it inspects any included links against known suspicious patterns and checks the attachments for signs of potential credential theft using Optical Character Recognition (OCR) techniques. The evaluation process also considers the relationship between the sender and recipient, checking if the sender's display name or email subject contains the recipient's email or domain, which may indicate targeted phishing. Moreover, the rule incorporates sender reputation checks by negating trusted domains unless they fail DMARC authentication, ensuring legitimate senders are not wrongfully flagged. This multi-faceted approach enhances the likelihood of accurately identifying and preventing credential theft through phishing emails.