This detection rule aims to identify potentially malicious messages that contain links redirecting to Freshdesk support solution pages. It focuses on detecting links which, while appearing to originate from a legitimate source (Freshdesk), actually lead to external domains that may be exploiting credential theft tactics. The rule is structured to distinguish between genuine Freshworks domains and potentially harmful redirects to unknown domains. The parameters ensure that messages containing fewer than 10 links are analyzed, filtering for those links that specifically belong to the Freshdesk domain with paths indicative of support solutions. Furthermore, the mechanism checks for links leading to domains not recognized as legitimate by the organization, including those that do not match the sender's email domain. It incorporates a natural language understanding component to detect any content indicative of credential theft, characterized by certain intents with high confidence levels. This multi-layered approach enables a focused response to sophisticated phishing attempts that leverage social engineering tactics and brand impersonation.