This detection rule identifies potential brand impersonation attacks that utilize credential theft language disguised as survey requests in promotional content. The rule leverages multiple detection mechanisms including Natural Language Understanding (NLU) to classify the intent, topics, and entities present in the message's content. Specifically, it checks for high-confidence indicators of credential theft while ensuring that the context aligns with advertising and promotions. Additionally, it analyzes the sender's email domain to verify whether it belongs to high-trust root domains, incorporating email authentication checks (like DMARC) to identify spoofing attempts. The combination of content and header analysis helps detect phishing attempts aimed at stealing user credentials under the guise of legitimate survey requests. This rule is crafted to enhance the security posture of organizations against sophisticated social engineering attacks that exploit trustworthy brand appearance.