This detection rule identifies potentially malicious usage of Microsoft Forms as a landing page for phishing attacks. It searches for message groups containing links from 'forms.office.com' and checks for various indicators of abuse, including newly registered links, use of free file hosts, URL shorteners, and links redirecting to CAPTCHA or confirmed phishing pages. The rule specifically avoids link analysis when display texts contain strong phishing indicators unless the sending profile is identified as soliciting or unusual. It analyzes the final domain's HTML for specific error messages relating to privacy concerns, evaluates the presence of phishing keywords in form questions, and looks for abnormal form structures. Notably, it checks for forms that are empty, lack questions, or utilize excessive line breaks, The rule also considers the existence of suspicious links leading away from the form. By employing various filtering and analysis techniques within the detection methods of HTML, URL, and content analysis, it aims to detect credential phishing attempts effectively.