Detects inbound credential phishing emails that use ActiveCampaign infrastructure by fingerprinting the sending service (headers.mailer contains ActiveCampaign) and by identifying financial-lure content in thread text and HTML. The rule flags messages that mention finance-related prompts (e.g., credit cards, loans, deposits, account verification) and include boilerplate phrases or phrases indicating association with third-party services (e.g., Piratini, 45.405.898/0001-16, Cancelar inscri, Matemática Genial) as well as HTML structures such as CTA buttons or styled links (e.g., anchors with es-button class or background/padding styling). It requires the NLU Financial Communications topic classification to scope detection to legitimate financial discourse. The detection enforces English language only and suppresses alerts if non-financial topics (Health and Wellness, Entertainment and Sports) are detected with high confidence. It also reduces false positives by not flagging messages from high-trust senders if DMARC validation passes. Detection methods include Content analysis, Header analysis, Natural Language Understanding, and Sender analysis. The rule is categorized as Credential Phishing with a Social Engineering tactic and is designed for inspection of inbound email content that uses ActiveCampaign infrastructure for financial-lure phishing attempts.