This detection rule identifies potential phishing attempts related to the Mamba 2FA phishing kit by analyzing links contained within email messages. The rule specifically looks for links containing base64-encoded parameters that indicate the usage of this phishing kit, focusing on patterns like 'sv=o365' and '&uid=USER'. It evaluates inbound emails where the body text contains specific keywords signaling credential theft or where the message is directed to a single recipient that matches the email domain. The analysis employs multiple checks, such as the length of links and redirect history of URLs to identify possible malicious activity. This rule is categorized under high severity due to its relevance in detecting credential theft attempts that exploit users' trust through social engineering tactics.