This rule is designed to detect potential credential phishing attacks that utilize free subdomain links in messages. It focuses on messages that contain links leading to pages requiring user login or CAPTCHA verification. The criteria for triggering the alert include the presence of fewer than 10 links in the message body, with at least one link leading to a free subdomain that also contains either login fields or CAPTCHA prompts. The rule avoids false positives by excluding known legitimate sources, such as certain subdomains related to well-known services like Zendesk and SharePoint Online. Furthermore, it negates highly trusted sender domains unless the DMARC authentication fails, addressing any abnormal patterns of communication from these senders. The detection process involves multiple analytical methods, including computer vision, file analysis, sender analysis, and URL screenshots. Overall, this rule aims to increase security by identifying messages from untrusted sources that fit the criteria for credential phishing attempts, thereby protecting users from falling prey to such attacks.