This rule targets phishing attempts primarily via email that masquerade as legitimate communications through manipulation of text, specifically using Cyrillic vowel substitutions in sender display names or subjects. The detection checks for unsolicited emails that contain between one and nine hyperlinks while also analyzing the subject and sender display name for these substitutions. The rule implements a regex pattern to identify common phishing expressions found in unsecured emails, which may include terms that typically signify urgency or action required, such as account notifications and security alerts. It further ensures accuracy by verifying whether the sender is recognized as solicited or has a history of false positives, effectively mitigating the chances of false alarms. By employing content and sender analysis, this rule seeks to enhance the security posture against credential phishing attacks.