This detection rule targets potential service abuse associated with the AppSheet infrastructure, specifically emails that exhibit characteristics of credential theft. The rule primarily identifies abnormal activities such as phishing attempts stemming from emails sent by 'noreply@appsheet.com'. To discern malicious intentions, the rule scrutinizes a variety of indicators, including links pointing to recently registered or suspicious domains, security-related keywords in the sender's display name, and unusual text patterns in the email body. Additionally, it employs a machine learning classifier to identify intents related to credential theft and other scams, while it also contains checks to dismiss benign AppSheet communications within the organization. The rule contributes to defensive measures against a growing trend of phishing attacks leveraging legitimate platforms like AppSheet.