This detection rule targets credential phishing attempts that utilize tactics such as impersonation of tax-related communications during the tax season. The rule is designed to identify messages that contain references to common tax terminologies, such as 'tax form', '1099', and 'tax return', combined with payment solicitation phrases like 'provide payment' or 'send payment information'. A key element of these phishing attempts includes links to PDFs, which may contain harmful content. The rule also incorporates checks to exclude messages from legitimate tax service providers (such as intuit.com and turbotax.com) and filters out emails that belong to trusted domains unless they fail DMARC authentication. By analyzing the content of the email body, subject lines, sender details, and links contained within the messages, the rule aims to effectively detect and mitigate the risk of tax-related credential phishing attacks.