This detection rule identifies potentially malicious Scribd documents that contain embedded links which may be linked to credential phishing attacks. It operates by analyzing the document content as well as the URLs embedded within it, paying particular attention to links that target Microsoft services using common evasion techniques. The rule utilizes various methods including URL and HTML analysis, along with Natural Language Processing (NLP) and Optical Character Recognition (OCR) to uncover suspicious patterns indicative of credential theft. It checks if the document includes a single link to a Scribd document, validates the embedded links against known suspicious domains, and looks for buttons or elements that might suggest the potential for user interaction leading to phishing attempts. Notably, it also considers sender domains to eliminate trusted sources that pass DMARC authentication, thereby reducing false positives. Overall, the rule is designed to ensure robust detection of phishing attempts presented through Scribd-hosted content.