This detection rule focuses on identifying suspicious emails that may be indicative of credential phishing. It employs Natural Language Understanding (NLU) to analyze the subject and body of incoming messages. Key attributes include the detection of financial requests, urgency, and organization mentions from unsolicited senders. The rule specifies certain conditions: A message must contain fewer than five links, and the links should not be solely related to common unsubscribe phrases. It checks the length of the email body and subject, ensuring the body is less than 2000 characters and the subject under 100 characters. The rule also utilizes a regex pattern to filter for a variety of suspicious phrases in the subject line that may signal a phishing attempt.