This detection rule identifies Office documents that contain embedded URLs potentially leading to credential phishing websites. It strictly analyzes attachments with a specific focus on Office file types that allow for macros and embedded content. The rule applies a series of filters: it first eliminates commonly found XML namespaces and schemas that are legitimate in Office documents. After the filtering process, it only examines documents with up to three unique URLs. It then conducts an analysis of the remaining URLs using a machine learning model that specializes in phishing detection. The model assesses the URLs for malicious intent and assigns a confidence level based on the presence of recognizable brands. This method enables precise identification of potential phishing attempts while minimizing false positives associated with standard Office document structures.