This detection rule focuses on identifying potential credential phishing attempts via email, particularly from untrusted senders. The rule integrates multiple analysis techniques to assess whether a message includes language indicative of credential theft and contains links that may lead to phishing sites. It employs natural language understanding (NLU) classifiers to evaluate the body of the email and any attached images for phrases characteristic of credential theft (e.g., "urgent action required", "verify your account"). Additionally, any links provided in the message body or attachments are analyzed using link analysis techniques in aggressive mode to scrutinize their legitimacy, particularly looking for domains that are not associated with well-known sources like "play.google.com". The rule adds further conditions by checking the sender's profile to identify new, untrusted senders or those with a history of sending malicious messages, while simultaneously excluding common sender domains associated with legitimate uses, such as DocuSign. Overall, the goal is to strictly filter out communications that could compromise user credentials, minimizing the chance of false positives from trusted domains or known senders.