This rule detects inbound messages that contain Google Drawings links from previously unseen (new) senders, targeting credential-phishing scenarios. It triggers when a message's current thread includes a link with the domain docs.google.com and a path starting with /drawings, and the path contains /preview or the body text triggers a non-low confidence cred_theft intent via an NLU classifier. Additionally, the sender profile must indicate a new sender (prevalence == "new"). The rule maps to Credential Phishing and BEC/Fraud, with a social engineering tactic. Detection methods include URL analysis (to validate the Google Docs link pattern and /preview state) and sender analysis (to enforce a new-sender condition). Data and signals come from the email content (links and text) and the sender’s reputation, enabling early warning of potential credential theft or fraud delivered through Google Drawings links from new contacts.