This rule is designed to detect instances of credential phishing involving malicious links sent from non-WordPress domains pointing toward compromised WordPress blog sites. The detection criteria include checking the sender's email domain to ensure it is not from 'wordpress.com', verifying that there are a limited number of links (between 1 and 5), and specifically identifying cases where a single non-WordPress link redirects to a WordPress domain. Additionally, metrics from the message headers are used to confirm that the message is not a reply, and machine learning algorithms analyze the links to determine their status—specifically identifying those flagged as phishing or featuring messages indicating the blog has been archived or suspended. In essence, the rule offers a multi-faceted approach to identifying potentially malicious credential harvesting actions disguised through legitimate-looking WordPress links, leveraging both URL and header analysis, with an emphasis on detecting social engineering techniques.