This detection rule is focused on identifying possible credential phishing attempts via malicious Office file attachments that might contain Object Linking and Embedding (OLE) relationships linking to credential phishing pages. The rule is designed to flag behavior in incoming messages containing attachments, especially when the attachments bear certain characteristics such as specific file extensions or size limits, and have relationships defined by OLE tools that point to suspicious domains with high confidence indicators of phishing intent. Furthermore, the rule takes into account the sender's profile, examining both the prevalence of the sender's messages as well as any historical malicious behavior associated with the sender. The analysis relies on multiple detection methods including file analysis, HTML content evaluation, and natural language processing to identify intent, allowing for robust detection of potential phishing schemes.