This detection rule identifies credential phishing attempts conducted via email messages sent with "Undisclosed Recipients". The rule specifies that notifications are flagged if the recipient list has no direct recipients or the recipients are explicitly marked as "Undisclosed recipients", ensuring that only legitimate user requests are processed. It also checks that no carbon copied (CC) or blind carbon copied (BCC) recipients are present. The body of the email is examined for links, leveraging machine learning analysis to determine if any link is likely to be a phishing site, specifically those classified with medium or high confidence. Furthermore, it excludes emails from highly trusted sender domains unless they fail DMARC authentication, which serves as an additional layer of scrutiny. The rule is refined to avoid false positives based on user profiles, ensuring a focus on unsolicited and potentially dangerous emails. The primary attack type identified is "Credential Phishing," which falls under the broader tactic of "Evasion" in security terms.