This rule detects unsolicited emails that contain links embedding Tycoon phishing kit URI patterns. It looks for links whose href_path matches a Tycoon-like URI structure: path segments composed of alphanumeric characters separated by ! or @, captured within a restricted path length and excluding obviously benign or hosted patterns. The rule also checks for Tycoon-like patterns in the display_text portion of the link, including references to challenges.cloudflare.com as part of a Tycoon variant. It uses inbound type context, enforces 1–14 links, and leverages link analysis (including final DOM/script text) to corroborate the URI structure. Exclusions limit false positives by avoiding domains starting with www., and by excluding known benign roots (fpjs.io, medium.com, unpkg.com, alicdn.com, turtl.co). Detection methods include Sender analysis, URL analysis, and URL screenshot. The rule labels matched activity as Credential Phishing and associates it with evasion and social-engineering techniques typical of phishing campaigns demanding credential input from users via deceptive links.