This rule is designed to detect potentially malicious emails where the sender's email matches the recipient's, often leading to credential theft attempts. The rule filters for emails that not only share the same address for the sender and recipient but also check for organizational names in the subject line, indicating contextual relevance. It analyzes the email content, specifically looking for language associated with credential theft, rating its confidence as high. Furthermore, the detection logic is structured to prevent bypassing filters by ignoring self-sender scenarios from known organizational domains, thus reducing false positives that can arise from issues with email authentication. The presence of suspicious links in the email body is also ensured to limit the scope of safe emails. Attachments are strictly filtered to identify inline images or no attachments at all, thereby enhancing the threat assessment. This combination of checks makes the detection strategy robust against sophisticated phishing attempts that exploit the trust of users in familiar correspondence.