This inbound rule flags credential-phishing attempts that reference a Google Forms link hosted at docs.google.com. It requires three conditions: (1) the message content contains credential-theft intent detected by an ML/NLU classifier with non-low confidence, (2) the thread contains a link whose domain is docs.google.com and whose path starts with /form (i.e., a Google Form), and (3) the sender is identified as new. The rule leverages language analysis, URL-domain/path validation, and sender-newness to reduce false positives and detect attackers leveraging Google's trusted domain to harvest credentials. Potential limitations include legitimate Google Forms used for surveys or onboarding and the dependency on the NLU classifier’s accuracy and the novelty heuristic. Recommendations to improve detection include cross-referencing known-good forms, adding link reputation checks, and correlating with user reports of phishing attempts to improve precision."