This detection rule targets EML attachments containing credential theft language sent by unknown senders. It analyzes inbound email data for attachments with the MIME type 'message/rfc822' or a file extension of '.eml'. The rule employs Natural Language Understanding (NLU) to classify the content of the EML files and determine if it expresses intentions related to credential theft with high confidence. To mitigate false positives, the rule filters out emails from known system accounts (e.g., postmaster, mailer-daemon, administrator) and skips messages that trigger Mimecast Attachment Protection or Microsoft Dynamic Delivery disclaimers. Additionally, it excludes bounce-back messages and read receipts. The analysis ensures that the sender has either a history of malicious behavior or has not been identified as a false positive by the profile of the sender. By doing so, it enhances the protection against phishing attacks targeted at credential theft.