The rule identifies credential phishing attempts by detecting specific patterns associated with malicious attempts to misuse Zoho Sign templates. It analyzes inbound emails to find instances where links to start signing documents are included but are either non-functional or lead to fake Zoho domains. The rule checks for the presence of indicators such as 'Start Signing' in the email content and employs regex to scrutinize the HTML for patterns indicative of fraudulent URLs. Additionally, it ensures that the context of the email thread includes both the sender's and recipient's domains, confirming that the phishing attempt is relevant to the correspondence. The overall goal of the rule is to mitigate risks associated with social engineering tactics that exploit trusted services like Zoho Sign.