Detects inbound messages that impersonate the Canada Revenue Agency (CRA) and contain credential theft indicators. It flags senders whose display names reference CRA (English or French) or whose display name includes ‘cra’ with subject lines containing CRA-related terms (e.g., T4, tax, revenu du Canada). It uses a natural language understanding classifier to identify credential-theft intents in the message body with a non-low confidence. The rule excludes legitimate senders from highly trusted domains or the CRA-ARC.GC.ca domain when DMARC authentication passes. The alert triggers when impersonation and credential-theft signals are present and the message is not from an already trusted, DMARC-authenticated sender.