This detection rule aims to identify phishing attempts masquerading as HR communications. It targets inbound messages that feature a high link count (over 20) and various indicators of impersonation, suspect domains, and potential credential theft. The rule filters messages based on several criteria including sender display names associated with HR functions, specific key phrases in the subject line or body related to salary updates, work hours, or vacation plans. It also examines the links for irregularities such as malformed domains with comma variations, consecutive dots, unusual TLD patterns, and URLs containing vocabulary indicative of credential theft (like 'login', 'auth', 'verify', or 'payment'). Additional checks ensure that messages are excluded from legitimate sources, and messages with extensive prior correspondence are disregarded to reduce false positives. This approach integrates multiple detection methodologies including content analysis and machine learning classifiers for natural language understanding, enhancing the accuracy of identifying phishing attempts.