The detection rule identifies phishing attempts utilizing Microsoft Dynamics 365 forms, particularly targeted email messages that include links pointing to the domains "ncv.microsoft.com" and "customervoice.microsoft.com". The rule assesses emails marked as high risk, indicating suspicious body content through specified link analysis. This includes confirmation that the links lead to forms hosted on "cdn.forms.office.net", a legitimate Microsoft domain used for form submission. Furthermore, the rule conducts a thorough analysis for signs of credential theft using machine learning classifiers for both screenshots and the content of the email's thread. It checks against a profile of the sender to ensure that messages either originate from unsolicited domains or are untrusted, with special handling for high-trust sender domains that do not pass DMARC checks. This multi-layered approach combines URL and content analysis, along with optical character recognition and natural language understanding techniques to effectively flag emails that may attempt to deceive users into providing sensitive information.