The rule detects inbound emails that purport to be from Robinhood and attempt to inject deceptive content into the Device field. It triggers when the message appears to come from noreply@robinhood.com, the body contains the phrase “Your recent login to Robinhood,” and the HTML portion includes a list item under a div/ul containing the text “Device:” with more than 500 bytes of HTML content. This pattern signals potential content injection designed to mislead the recipient or exfiltrate data, consistent with credential phishing. Detection methods used include content analysis (string matching in the body), header/sender analysis (verifying the sender address), HTML analysis (XPath-based extraction of injected fields), and generic data extraction from the HTML structure. Attack types labeled are Credential Phishing, with tactics focusing on Impersonation: Brand and Social engineering. Analysts should correlate with known Robinhood communications and verify sender authenticity, apply email authentication (SPF/DKIM/DMARC), and consider additional checks (URL/attachment analysis, user reports) to reduce false positives where legitimate Robinhood notifications exist.