This rule identifies potential phishing attempts characterized by a combination of suspicious recipient patterns, urgency in messaging, and links that lead to potentially harmful login pages. It scrutinizes the properties of links embedded in emails, focusing on their domains, the presence of low reputation domains, and usage of misleading display text or confusable characters. Specifically, it flags messages that exhibit financial or urgent language while directing users to login forms that could be malicious. The rule evaluates the structure of the recipients' addresses to detect anomalies such as a lack of valid domains and the use of BCC fields, which could denote unsafe practices. The detection employs natural language understanding to discern urgent, finance-related themes within the message body. Overall, the rule serves to protect against credential phishing attacks by analyzing the interplay of language and link attributes within emails.