This detection rule aims to identify phishing emails that falsely claim that messages are pending or have been blocked. The main intent is to trick users into acting upon these messages, thus leading to credential theft. The rule uses several checks: it verifies the presence of certain keywords in the email text that indicate urgency or action ('review', 'release', 'quarantine', etc.) and checks for similar patterns in the links provided in these emails. It also employs machine learning techniques to detect phrases indicative of credential theft with high confidence. Moreover, the rule marks emails as suspicious if the sender's domain is not from a recognized trusted organization, regardless of whether they have passed DMARC authentication. Through multiple layers of analysis, including content and sender verification, the rule strives to flag potential phishing attempts effectively.