This detection rule targets potential credential phishing attempts characterized by messages containing specific phrases commonly associated with phishing, such as "secure message," "document portal," or "encrypted message." The rule leverages natural language understanding (NLU) classifiers to analyze the body of the message, identifying high-confidence credential theft intents. It examines several other indicators, such as the inclusion of links, to determine whether the message is suspicious. The sender's domain is verified against known legitimate senders to filter out false positives, and the rule assesses whether the message is solicited and if the sender has a history of malicious activity. It also considers DMARC authentication to negate highly trusted sender domains unless they fail verification. With multiple checks on the body content, links, and sender reputation, this rule aims to minimize the chances of fraudulent messages reaching users, thus reducing the risk of credential theft.