This detection rule identifies phishing attempts that utilize links pointing to notifications.google.com but originate from non-Google or untrusted email senders. These phishing emails frequently exploit the perceived legitimacy of Google notifications to deceive recipients into providing their credentials. The rule ignores any messages from google.com unless they fail DMARC authentication, thereby reducing false positives from legitimate Google notifications. It checks whether the email sender's domain is either not Google-related or fails the DMARC for Google-related domains. The detection mechanism also involves analyzing the body of the email for links to notifications.google.com, particularly focusing on URLs that begin with '/g/p/'. Additionally, it incorporates checks for suspicious subject lines or common patterns in phishing, like the presence of 'verification'. The rule uses sender reputation, analyzing user engagement to ensure messages coming from new or outlier senders that are unsolicited or flagged previously as spam are scrutinized closely. It specifically looks out for known domains involved in Salesforce phishing campaigns. The combined analysis of these factors allows the detection rule to effectively mitigate the risks associated with credential phishing attacks in this context.