This rule detects inbound messages that contain links and are targeted at a single recipient, focusing on phishing campaigns that impersonate Microsoft device code authentication. It requires 0 < length(body.links) < 15 and at least one link to trigger. For any link, it performs aggressive URL/DOM analysis (ml.link_analysis with mode="aggressive") to examine the final displayed text and the raw URL. A match is triggered when the link text includes device-code verification prompts or related phrases (e.g., verification complete/code, copy code, Secured by Microsoft, preparing verification, verify your identity, complete verification with Microsoft) or when the URL indicates device-login activity or antibot instrumentation. Specifically, the rule flags the presence of an antibot token header (X-Antibot-Token) or API paths such as /api/device/start or /devicelogin, or URLs referencing microsoft.com/devicelogin. It also covers cases where a workers.dev subdomain is involved and the accessed path includes /api/device/start. When a link matches these indicators, the rule emits a Credential Phishing signal. The rule is categorized under impersonation and social engineering tactics with evasion characteristics, and is evaluated via URL analysis, URL screenshot, and content analysis methods to establish suspicion based on link content, structure, and related domains.