This rule detects inbound email messages that attempt credential phishing through a job recruitment lure. It targets unsolicited senders known to abuse domains and scans for recruitment-oriented language in the sender display name, subject, or message body. The detection focuses on links in the email body that resolve to domains containing well-known brand names (e.g., Ferrari, Tesla, Nike, Adidas, Coca-Cola, Instagram, Spotify, etc.) or brands embedded in the URL, while excluding cases where the root domain matches legitimate, branded domains to reduce false positives. It also looks for suspicious hosting indicators such as links hosted on free file hosts, subdomain hosts, or URL shorteners. Negative filtering excludes messages that mention common non-phishing terms (e.g., unsubscribe, certain legal or event terms) to avoid legitimate communications. The rule requires that the sender’s domain is among a set of commonly abused senders (e.g., hireology.com, appsheet.com, welcomekit.co, xero.com, etc.) and that the sender display name or subject contains recruitment-related keywords (careers, jobs) or brand-related terms in combination with suspicious URL patterns. It uses content analysis (regex on body/subject/text), sender analysis (domain and display name checks), and URL analysis (domain and root_domain checks) to identify potential credential phishing. The detection corresponds to credential phishing via social engineering. This rule would generate a security alert for potential phishing campaigns that attempt to lure recipients into providing credentials or clicking credential-stealing links.