This detection rule identifies potentially harmful emails impersonating Salesforce that utilize urgent language, particularly regarding failed or canceled campaigns. It specifically targets messages from senders whose display names contain 'salesforce' but originate from non-legitimate Salesforce domains, such as those not belonging to 'salesforce.com', 'force.com', 'site.com', or 'agentforce.com'. The rule further stipulates that there should be no attachments and checks for the presence of external links in the message body that do not belong to the organization or any official Salesforce domains. Additionally, the rule assesses the length of the email body, allowing only messages with 600 characters or less, and ensures that the text includes the term 'campaign'. The urgency is flagged by analyzing natural language for terms implying urgency (like 'failed' or 'cancelled') and looks for any requests embedded in the text. By leveraging various techniques, including content analysis, NLU for entity detection, and sender's domain verification, this rule effectively helps in identifying phishing attempts aimed at credential theft through social engineering tactics.