This detection rule identifies messages that display characteristics indicative of credential theft attempts via a link to a personal SharePoint site. The rule checks for messages sent to undisclosed or invalid recipients, specifically those with no actual recipients or with email addresses that do not have valid domains. It also requires that there are no prior message threads, indicating a new communication attempt. The rule further verifies if there is a single link directing to a personal SharePoint domain, specifically looking for the common pattern of '-my' in the subdomain of the link. The text of the message body is analyzed for intent using a natural language understanding (NLU) model, which must indicate a high confidence level of credential theft intent. Lastly, the rule stipulates that the message must be relatively short (less than 1500 characters) and contain only one link. The overall goal of the detection is to prevent credential phishing attempts that leverage social engineering tactics.