This rule detects credential-theft phishing campaigns targeting Substack by analyzing inbound messages for a cluster of coordinated signals. It focuses on emails that originate from substack.com and attempt to impersonate Substack branding while steering recipients to non-Substack domains and harvesting credentials. The rule’s logic requires at least two of several corroborating signals to trigger, reducing false positives while preserving detection of sophisticated attempts. Key signals include: (1) Substack-branded elements that redirect to non-Substack domains, such as anchor links styled as purple buttons (background-color: #7c3aed variants, class="button", or bgcolor attributes) and actual redirects to external domains; (2) sender display names that employ confusable Unicode characters to spoof the sender identity; (3) strong urgency indicators extracted from the message text (five or more urgency-related entities); (4) heavy use of hidden or zero-width characters in the HTML source (exceeding a high threshold); and (5) credential-theft intents detected by a natural language classifier with non-low confidence. The rule uses multiple detection methods—HTML analysis, URL analysis, sender analysis, and NLP-based intent/entity extraction—to establish a reliable signal set. The credential-theft signal specifically looks for a cred_theft intent with non-low confidence. If at least two of the conditions are met, the rule flags the message as credential phishing with evasion-oriented tactics (social engineering) under a Network/Email inspection context. This approach combines surface-level indicators (branding, obfuscated sender name, urgent language) with deeper content analysis (HTML structure, URL destinations, and ML-derived intents) to identify targeted Substack credential-theft attempts that rely on confusable characters and branded redirects.