This rule detects credential-harvesting attempts in inbound messages by combining several evasion indicators. It flags messages where a CTA link uses action-oriented text (e.g., open, sign in, log in, secure) and points to a domain different from the sender’s domain, indicating potential credential phishing. It also analyzes the message screenshot to identify tall, low word-density renders (image_height > 1500 and high height relative to displayed words), a common tactic to obscure phishing content. Additional HTML-level evasion patterns are checked: excessive empty div blocks with or without line breaks, styled div blocks with line breaks, repeated non-breaking spaces in paragraphs, and substantial CSS margin-top pushdowns (>= 1500px) to inflate content height while avoiding certain protections (e.g., absolute positioning). By combining content analysis, HTML analysis, Exif data from screenshots, and URL/domain checks, the rule aims to detect evasive credential phishing embedded in inbound email content.