Technical summary: This inbound rule flags unsolicited emails that contain one to fourteen links and have exactly one recipient with a valid domain. It analyzes each link to determine the effective URL path and looks for a Tycoon URL structure in the path. The Tycoon pattern is characterized by a path with two '/' segments that contains an encoded email address or a base64-encoded payload within the path. If any link matches this pattern, the rule triggers a high-severity finding categorized as Credential Phishing. The rule leverages URL analysis and, where applicable, natural language understanding to interpret the email content and the presence of obfuscated links. It relies on inbound email content (application-level data) and related network activity to detect attempts at credential theft or data exfiltration via tycoon URLs. Attack techniques include evasion and social engineering aimed at deceiving the recipient into clicking the link and divulging credentials.