Technical summary: This rule detects inbound messages where the sender and sole recipient are the same address (self-sent), which can indicate spoofing or internal phishing attempts. It requires exactly one recipient and equality between sender and recipient email addresses. The rule then inspects the message body’s current thread links for a final DOM that contains a configuration placeholder text used as a lure: the string '/*─ CONFIG: Replace with your lure URL ─*/' (represented with Unicode box-drawing characters). If any link’s final DOM matches this placeholder through aggressive URL analysis, the event is flagged as credential theft content. The rule is designed to trigger on phishing lures embedded in messages that impersonate a trusted sender. Detection methods include Natural Language Understanding (to identify credential-phishing language), Content analysis (to inspect the message body), URL analysis (to examine the linked destinations), and Header analysis (to verify sender/recipient relationships and potential spoofing). The rule is categorized under Credential Phishing with emphasis on social engineering and evasion techniques, and is labeled as high severity due to the potential for credential theft.