This rule detects credential phishing attempts that leverage generic document-share templates and recipient-specific cues within inbound messages. It combines content analysis with natural language understanding (NLU) to identify targeting patterns that adversaries use to impersonate legitimate communications and induce recipients to act on sensitive data. Core signals include personalisation via greeting detection and recipient-specific data (domain, local part, or domain elements), attention-grabbing starters, and multiple recipient elements. It also captures broken-template attacks where recipient placeholders remain visible. A secondary signal set searches for a doc-orientated Unicode symbol sequence paired with document-related keywords (e.g., document, remit, review, statement, mail) to flag template-like content. The rule further narrows FP risk by excluding highly trusted domains unless DMARC authentication fails, and it requires non-benign NLU intents to proceed. It also detects broken attack indicators via NLU entity extraction for recipient placeholders with braces. Overall, the rule targets credential phishing campaigns that use document-themed visuals and recipient-specific text to lure users into exposing credentials or sensitive information, while applying guardrails against false positives from trusted senders and benign intents.