This detection rule identifies potential email address harvesting and credential phishing attempts in inbound messages. The rule focuses on short email subjects (15 characters or less) and scans the body text of messages for patterns that resemble email addresses. It utilizes a regular expression to match common email formats, emphasizing a check for recognized free email provider domains. Additionally, the rule stipulates that no attachments should be present, allowing only a single link in the message body. A critical aspect of the detection hinges on the authentication summary of the email, particularly the results of DMARC and SPF checks. If these checks fail, the rule further evaluates the sender's profile to mitigate false positives, taking into account whether the sender has a history of sending solicited messages or has previously been flagged as malicious or spammy. The rule aims to proactively prevent potential business email compromise and related phishing attacks by identifying suspicious email patterns.