This detection rule identifies potential credential phishing attempts that contain image-heavy content while lacking substantive text. The primary indicators for this rule include incoming messages with minimal or absent links and a limited number of attachments, focusing on scenarios where either the body is very brief or predominantly consists of warning banners. The rule also scans for specific types of image files, particularly truncated PNGs and logos, which are often indicative of phishing attempts. High-confidence indicators for credential theft are assessed through machine learning models, and the use of computer vision and natural language understanding techniques enhances the analysis of the attachment content, helping to determine if the intention of the communication is malicious.