This rule is designed to detect potentially malicious emails sent with undisclosed recipients, where the Compauth (Compromise authentication) verdict is not 'pass' and machine learning (ML) has flagged the content as suspicious. The detection logic checks for three conditions involving email recipient fields, authentication verification, and malicious content indicators. Specifically, it identifies cases where all recipient fields (To, CC, BCC) are empty or consist solely of 'Undisclosed recipients', ensuring no obvious targets are directly visible. Additionally, it requires at least two out of three risk factors to be confirmed: unusual Compauth results (not passing or soft passing), high-confidence malicious intent as classified by the ML model (like business email compromise or credential theft), and the identification of links that are recognized as phishing attempts. Furthermore, it assesses the sender's profile for signs of abnormal behavior, such as being new or having previously sent malicious content, while also ensuring stringent checks against well-known trusted domains unless they fail DMARC authentication. This multi-faceted approach enhances the rule's ability to distinguish between legitimate and potentially harmful communications, aiming to minimize false positive rates while maximally enforcing detection efficiency.