This detection rule identifies patterns typically seen in mass phishing campaigns where the attack is personalized using the recipient's email address. The rule triggers when the recipient's email (either local part or full address) appears in the subject line, body, or query parameters of the links in the email, with the aim of enhancing the chances of successful deception. The rule incorporates several checks, such as validating the sender's reputation, ensuring only one recipient is included, and confirming whether the email originates from a newly recognized or suspicious sender. It specifically negates highly trusted sender domains unless they fail DMARC authentication, enhancing its focus on unusual or malicious behavior. This approach effectively combines header analysis, natural language understanding, and sender analysis to flag potential credential phishing attempts.