This detection rule identifies incoming emails with a single EML attachment that contains phishing links or exhibits suspicious behavior, such as multiple redirects. The rule employs a combination of methods to assess links within the EML for potential phishing sites, analyzing domains and indicators such as engaging language, display names, and suspicious subjects. Key factors include examining link redirects, ensuring no bounce-back emails are included, and leveraging natural language understanding to identify requests or urgent language that may suggest phishing. The rule is designed to block malicious attempts aimed at collecting user credentials via these suspicious email attachments.