This detection rule is designed to identify potentially malicious emails that contain a single link directing users to a Riddle.com hosted showcase page. Such pages have been exploited for credential phishing attacks, where attackers trick users into divulging sensitive information. The rule checks that the body of the email includes less than 20 links and specifically looks for one link with the Riddle.com root domain and a path that starts with '/view/'. Additionally, it includes an analysis of the sender's domain, checking whether it belongs to a list of high-trust domains. If the sender's domain is high-trust, it further validates the passing of DMARC authentication to avoid false positives. If the domain is not high-trust or fails authentication, the message is flagged for potential phishing. This multi-faceted detection approach leverages sender analysis, link analysis, and header authentication results to effectively mitigate the risk of credential phishing attacks.