This inbound rule flags credential-phishing attempts where the sender is the same as the recipient or the recipient domain is invalid, with exactly one recipient. It requires a link in the email body whose path consists of a single character (e.g., /a) and has no query parameters, no fragment, and no display URL substitution. Additionally, the rule requires the natural language understanding (NLU) result of the message body to include an intent named cred_theft with a confidence that is not "low". When all conditions are met, the message is flagged for credential-themed phishing leveraging a minimal path URL and self-sender/invalid-recipient context. The detection relies on NLU for credential-theft signaling, URL analysis to validate the short path and absence of query/fragment/display URL, and sender/recipient analysis to confirm self-sender or invalid recipient scenarios. Attack types: Credential Phishing. Tactics: Evasion, Social engineering. Detection methods: Natural Language Understanding, URL analysis, Sender analysis, Header analysis.