This detection rule identifies potential phishing attempts by analyzing email headers and attachments that originate from PHP Mailer user agents. The detection rule is based on recognizing the PHP Mailer string in the email's headers and checking for common attachment names that are frequently used in phishing campaigns, such as `image.png`, `name.png`, and `use.png`. By employing header analysis and evaluating attachments, the rule flags emails that may pose a credential phishing risk. It operates with a medium severity classification, suggesting that while these emails may not be overtly dangerous, they warrant further investigation to mitigate the potential threat.