This rule detects credential-phishing attempts targeting recipients via Outlook Groups (groups.outlook.com) by identifying inbound messages that contain links to Google Sites and include a short, suspicious alphanumeric tag appended to the message body or subject. The detection logic requires three signals: (1) the sender domain in the message path must be groups.outlook.com, (2) the message content must contain a link to sites.google.com (indicative of a credential-harvesting landing page hosted on Google Sites), and (3) a small alphanumeric tag (three characters of [a-z0-9]) appended at the end of the body or after a double-space in the subject line. The tag is a known evasion technique used to bypass content filters and blend the malicious link with legitimate content. This combination is characteristic of social engineering and evasion-focused phishing campaigns that redirect to credential pages. The rule is categorized under Credential Phishing and uses multi-faceted detection checks including content analysis (link and text patterns), header analysis (sender domain), URL analysis (domain of the link), and sender analysis (originating group contact). The inclusion of an auto-escaped short tag aims at bypassing simple keyword filters while leveraging trusted group-based communication channels to reach targets. Attacker techniques aligned with this rule include evasion, utilizing free subdomains or hosted pages on Google Sites, and social engineering to harvest credentials through trusted-looking interfaces. Overall, this rule helps identify targeted credential-phishing attempts that abuse a legitimate group collaboration service to host fraudulent login pages.