This detection rule identifies potentially malicious emails that contain attachments mimicking secure messages from untrusted sources. The mechanism leverages a combination of natural language understanding to assess the body text for credential theft language and evaluates various characteristics of the attachment such as filenames and URLs. If the attached file mentions 'secure message' and originates from a domain that is either suspicious or different from the sender's domain, it is flagged. Moreover, the rule checks for whether the email sender corresponds to known high-trust domains, avoiding false negatives unless DMARC authentication fails. The rule also incorporates sender behavior profiles to identify new or outlier senders and examines email headers for anomalies, further strengthening the detection of potential phishing attempts.