This rule detects credential phishing attempts delivered via inbound messages that use fake credit card delivery or approval themes combined with credential theft intent. Detection logic requires: (1) an inbound message containing the word card in either the subject or body, (2) body text aligned with lure phrases such as could be with you, currently accessible, collect bank details, or not a financial institution, (3) at least one link whose display text suggests tracking (e.g., track order, track card, card status), (4) a high-confidence credential theft intent inferred by the NLUn classifier on the message text, and (5) excluding messages from high-trust senders that pass DMARC. The rule uses content analysis, NLP/NLU, URL/link analysis, and sender authentication checks to flag credential theft attempts while reducing false positives from trusted domains.