This detection rule is designed to identify potential credential theft attempts through emails containing links to free subdomain providers and suspicious recipient patterns. The rule evaluates inbound message data, looking for links whose domains match known free subdomain hosts, while also ensuring that the subdomain is not standard (i.e., not 'www'). It checks the recipient fields of messages, flagging those that are empty, contain undisclosed recipients, or consist of a single recipient that is the same as the sender. Additionally, the rule utilizes multiple detection methods including content analysis, header analysis, and natural language understanding to assess if the linked page employs language indicative of credential theft, as determined by confidence values in intent detection models. If these conditions are met, the message is flagged as high severity, indicating a serious risk of phishing and credential exposure. Automated scanning for language suggestive of credential theft, through both direct text analysis and OCR on screenshots of linked pages, enhances the rule's effectiveness in identifying malicious content.