This detection rule identifies potential credential phishing attempts via inbound messages that contain links leading to phishing pages. It targets messages from unknown senders who may attempt to deceive recipients into providing sensitive information through malicious links. The rule executes certain conditions: it checks if there are fewer than 10 links in the message body and utilizes machine learning to analyze those links, identifying them as phishing with medium to high confidence or if they feature captchas. It assesses sender profiles to flag unknown senders whose message behavior deviates from common patterns, and further excludes known legitimate threads by checking subject lines for replies. It implements measures to prevent false positives by ensuring that no messages from high trust sender domains pass unless they fail DMARC authentication. The rule additionally excludes bounce-back messages and delivery receipts, solidifying its focus on genuine phishing attempts rather than legitimate communications. This comprehensive approach aims to enhance threat detection for phishing attacks in email communications.