This rule detects inbound email messages that impersonate a secure email portal by triggering on an empty subject and specific content indicators within the message body. It identifies attempts to bypass sender visibility and mislead recipients through HTML obfuscation, portal-like phrasing, and suspicious link usage. Key indicators include hidden HTML characters used to mask the sender address, the recipient domain echoed back as a portal sender, a deliberate typo in the portal template (commuication portal), and tracking/link patterns tied to known secure messaging infrastructure (e.g., linkprotect.cudasvc.com with a crId or OriginalLink parameter). The detection logic combines content analysis, HTML analysis, URL analysis, sender analysis, and threat intelligence to surface credential phishing attempts that rely on spoofing and social engineering. The rule is categorized under Credential Phishing and maps to evasion, social engineering, and spoofing techniques, with detection hooks spanning HTML rendering, link analysis, and sender identity verification.