This rule detects inbound messages that are purposefully crafted to target the receiver itself (self-sent) or to an invalid domain, using strict recipient constraints (single to, no cc/bcc) to minimize exposure. It augments header analysis with content-based intent detection and sender characteristics to identify credential-theft content delivered under a bypass scenario. Specifically, it flags messages where the body is flagged by an NLP classifier as containing credential-theft intents with non-low confidence, and where Microsoft CompAuth appears to pass in hop headers even though SPF and DMARC authentication ultimately fail. The combination of self-sender targeting, credential-theft content, CompAuth-based bypass, and SPF/DMARC failures constitutes a stealthy credential phishing attempt designed to evade standard domain-based protections. This rule is triggered when: (1) there is exactly one recipient and no copies, (2) the sender either equals the recipient or the recipient domain is invalid, (3) NLP detects cred_theft content with sufficient confidence, and (4) a compauth=pass indicator exists in hop headers while SPF and DMARC do not pass. The rule is categorized under Attack surface reduction, aligned with Credential Phishing, and uses detection methods including Natural Language Understanding, Header analysis, and Sender analysis to identify evasive phishing attempts aimed at credential theft via spoofed or misrepresented identities.