This detection rule identifies potential credential phishing attempts through re-authentication lures. It analyzes inbound email messages for suspicious content indicating a request for email account reauthentication, including specific language geared toward acquiring recipient credentials. The rule checks for the presence of certain security-related keywords, the length of the email body, and the number of links. It uses a machine learning-based Natural Language Understanding (NLU) classifier to evaluate the intent and confidence of the content, particularly focusing on high confidence indicators of credential theft as well as the language used, looking for non-English text. The rule also inspects links within the message for suspicious domains and paths, specifically checking if they originate from domains inconsistent with the sender's email domain and if they contain indicators like 'update', 'confirm', or 'auth'. The detection mechanism requires that these links not come from high trust domains and can involve multiple checks against lists of potentially malicious domains and indicators of urgency. This holistic approach leverages various detection methods including content and URL analysis, header validation, and sender reputation assessment.