This inbound email rule detects potential credential phishing and malware-related abuse by flagging messages that impersonate Datadog alerts. It triggers when an email originates from alert@dtdg.co, has a body shorter than 1000 characters, and satisfies one of two patterns: (1) the message contains hyperlinks whose destination domain is not datadoghq.com and not aka.ms, with the body text containing quarantine/held for review/secure message/voice mail cues; or (2) the message is identified as English and the ML classifier indicates a high-confidence topic of Voicemail Call and Missed Call Notifications. The rule associates the incident with attack types such as Credential Phishing and Malware/Ransomware, and notes tactics like Evading detection and using free subdomain hosting to obfuscate the sender or links. Detection methods rely on sender analysis and URL analysis. This combination aims to surface adversaries attempting to exploit alert channels to deliver phishing links or malware payloads, leveraging misleading domains and urgency cues to entice user action.