Detections target inbound messages sent to a single recipient that claim a financial or account issue and include suspicious links, combined with high-confidence indicators of credential theft in the message content. The rule looks for targeted, one-to-one deliveries (single recipient) and phrases like “problem/issue with your … card/account/renewal/payment.” It flags messages whose links show suspicious characteristics: use of URL shorteners, free file hosts, free subdomain hosts, suspicious top‑level domains, recent domain creation (WHOIS age < 30 days), or a referenced domain that matches specific questionable domains (e.g., sa.com) while excluding known safe campaigns or branded link patterns (no UTM campaigns). It also checks for no use of common legitimate link campaigns (no utm_ parameters) and requires high-confidence credential theft signals from an ML/NLU classifier, including an intent of cred_theft with high confidence and topics like Financial Communications or Payment Information with high confidence. Additionally, it enforces sender-domain trust checks by requiring that, unless the sender is not a high-trust domain, the domain either fails DMARC authentication or is not in the high-trust set. The combination of targeted delivery, suspicious linking patterns, and high-confidence credential theft indicators is used to identify credential phishing messages aimed at financial communications. The rule is categorized under Credential Phishing and leverages tactics such as relying on free hosting/subdomain services and social engineering, with detection methods spanning content analysis, natural language understanding, URL analysis, and Whois lookup.