This detection rule is designed to identify potential credential phishing attempts originating from unknown senders. It employs a multi-faceted approach, utilizing machine learning classification to analyze the language and intent of messages for indications of credential theft. The rule accounts for suspicious patterns in email subjects, bodies, sender information, and attachments, especially noting behaviors characteristic of phishing campaigns. Conditions include checking if the email or its attachments contain language typically associated with credential theft, looking for impersonation techniques, analyzing links for suspicious redirects or domains, and negating trusted sender domains unless they fail DMARC authentication. The rule taps into various detection methods, including natural language understanding and URL analysis, ensuring a comprehensive evaluation of the email content to flag potentially harmful communications before they can trick users into disclosing sensitive information.