This rule flags inbound messages that attempt credential phishing by leveraging a single Behance gallery link accompanied by language suggesting document sharing. It requires the message text to be under 10,000 characters and to contain specific phrases (e.g., "proposal", "specified link", "secure"). It then enforces that exactly one link matches a Behance gallery URL (both the href and the display URL must resolve to behance.net with a /gallery/ path). The rule excludes messages from high-trust senders whose DMARC passes, reducing false positives for trusted domains. The detection relies on content analysis (keyword constraints) and URL analysis (domain and path checks). Intended use is to identify credential phishing attempts disguised as legitimate Behance gallery sharing, a social engineering lure that may prompt the recipient to reveal credentials or engage with a malicious resource. Potential limitations include reliance on exact language patterns, restriction to a single gallery link, and potential misses if attackers vary the phrasing or use other hosting domains; legitimate communications that reference Behance gallery links could also trigger false positives if not contextually valid. Tuning could broaden language variants, allow multiple gallery links with lower risk thresholds, or add corroborating signals (attachments, sender reputation, DMARC failures).