This detection rule focuses on identifying phishing attempts that use deceptive language to lure users into revealing credentials. Specifically, it targets messages that include phrases indicating they are from a 'safe sender' or contain 'safe content', especially in the initial lines of the content. Such tactics are typically utilized to circumvent security filters and exploit user trust. The rule employs Natural Language Understanding (NLU) classifiers to analyze the context of the email, checking for intents and related topics that suggest the presence of credential theft schemes. Additionally, it uses regex expressions to scrutinize the first line of the message for specific key phrases while ensuring it does not include common phrases that would suggest the message is benign, such as adding to a safe senders list. This multi-layered approach aims to catch sophisticated phishing attempts that cleverly disguise their intent amidst seemingly legitimate communications.