This rule is designed to identify potential credential phishing attempts in inbound email messages by analyzing a combination of suspicious characteristics in the message. It specifically targets messages that have no visible recipients, utilizing machine learning classifiers that signal credential theft. The rule checks for the following key indicators: absence of recipients in the 'to', 'cc', and 'bcc' fields; suspicious links from well-known free hosting domains or URLs utilizing certain subdomains; presence of text formatted in all-caps; and any links where the display text is entirely in uppercase. Furthermore, any detected confidence in the intent of credential theft via natural language understanding (NLU) classifiers also enhances the detection. Lastly, messages flagged by the sender profile as either 'new' or 'outlier' are also scrutinized for instances of being malicious or spam while confirming the lack of false positives.