This rule detects potential credential phishing attempts characterized by unsolicited emails that claim a user's password is about to expire. The detection focuses on various indicators within email content, such as specific keywords related to password expiration, a high number of external links, absence of attachments or suspicious attachments, excessive whitespace, and discrepancies in the sender's domain. The rule employs Natural Language Understanding (NLU) to analyze the body text for malicious intents while excluding communications from high trust senders unless they communicate failure in DMARC authentication. The body of the email should not be excessively long or short and should adhere to specific formatting conditions to avoid false positives.