This detection rule targets credential phishing attacks characterized by the presence of indicators suggesting attempts to obtain sensitive information, particularly via a link to an IPFS (InterPlanetary File System) site. The rule begins by analyzing inbound messages for specific strings in the body text that may indicate a phishing scheme—most notably the words 'expire' and 'password'. Additional checks involve a Natural Language Understanding (NLU) classifier that identifies the intent of the body text as related to credential theft. Finally, the rule scrutinizes all links within the message to detect whether they lead to IPFS sites. The rule also incorporates filters excluding domains that are commonly used for legitimate purposes, which could otherwise give false positives. It emphasizes a high severity level, reflecting the critical nature of credential phishing threats.