This rule detects inbound HTML content that contains a very specific print-styling CSS fragment and also carries high or medium confidence credential-theft intent as determined by an embedded natural language understanding (NLU) classifier. It looks for a CSS block that explicitly enables exact color printing and avoids page breaks within the HTML to create a print-friendly rendering, which attackers may use to format credential prompts or stolen data for easier display or exfiltration. In addition to the HTML styling check, the rule requires the message thread text to be analyzed by an NLU classifier, and only triggers if there is an intent named cred_theft with a confidence level above or equal to medium (i.e., not 'low'). The combination of content-based HTML analysis and semantic intent detection aims to reduce false positives and focus on credential-phishing content that is purposefully formatted for print or display. The rule is categorized under attack surface reduction with detection methods spanning content analysis, HTML analysis, and natural language understanding, and maps to credential phishing techniques that rely on social engineering and evasion via HTML presentation techniques.