diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml
new file mode 100644
index 00000000000..cce6d5299ae
--- /dev/null
+++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml
@@ -0,0 +1,267 @@
+name: "Credential Phishing: Suspicious subject with urgent financial request and link"
+description: "This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.links) < 5
+  
+  // ignore emails in body
+  and not all(body.links, .href_url.domain.domain in $free_email_providers)
+  
+  and length(body.current_thread.text) < 2000
+  and length(subject.subject) < 100
+  
+  // and suspicious subject
+  and regex.icontains(subject.subject,
+                      // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects_regex.txt
+                      "termination.*notice",
+                      "38417",
+                      ":completed",
+                      "[il1]{2}mit.*ma[il1]{2} ?bo?x",
+                      "[il][il][il]egai[ -]",
+                      "[li][li][li]ega[li] attempt",
+                      "[ng]-?[io]n .*block",
+                      "[ng]-?[io]n .*cancel",
+                      "[ng]-?[io]n .*deactiv",
+                      "[ng]-?[io]n .*disabl",
+                      "action.*required",
+                      "abandon.*package",
+                      "about.your.account",
+                      "acc(ou)?n?t (is )?on ho[li]d",
+                      "acc(ou)?n?t.*terminat",
+                      "acc(oun)?t.*[il1]{2}mitation",
+                      "access.*limitation",
+                      "account (will be )?block",
+                      "account.*de-?activat",
+                      "account.*locked",
+                      "account.*re-verification",
+                      "account.*security",
+                      "account.*suspension",
+                      "account.has.been",
+                      "account.has.expired",
+                      "account.will.be.blocked",
+                      "account v[il]o[li]at",
+                      "activity.*acc(oun)?t",
+                      "almost.full",
+                      "app[li]e.[il]d",
+                      "authenticate.*account",
+                      "been.*suspend",
+                      "clos.*of.*account.*processed",
+                      "confirm.your.account",
+                      "courier.*able",
+                      "deactivation.*in.*progress",
+                      "delivery.*attempt.*failed",
+                      "document.received",
+                      "documented.*shared.*with.*you",
+                      "dropbox.*document",
+                      "e-?ma[il1]+ .{010}suspen",
+                      "e-?ma[il1]{1} user",
+                      "e-?ma[il1]{2} acc",
+                      "e-?ma[il1]{2}.*up.?grade",
+                      "e.?ma[il1]{2}.*server",
+                      "e.?ma[il1]{2}.*suspend",
+                      "email.update",
+                      "faxed you",
+                      "fraud(ulent)?.*charge",
+                      "from.helpdesk",
+                      "fu[il1]{2}.*ma[il1]+[ -]?box",
+                      "has.been.*suspended",
+                      "has.been.limited",
+                      "have.locked",
+                      "he[li]p ?desk upgrade",
+                      "heipdesk",
+                      "i[il]iega[il]",
+                      "ii[il]ega[il]",
+                      "incoming e?mail",
+                      "incoming.*fax",
+                      "lock.*security",
+                      "ma[il1]{1}[ -]?box.*quo",
+                      "ma[il1]{2}[ -]?box.*fu[il1]",
+                      "ma[il1]{2}box.*[il1]{2}mit",
+                      "ma[il1]{2}box stor",
+                      "mail on.?hold",
+                      "mail.*box.*migration",
+                      "mail.*de-?activat",
+                      "mail.update.required",
+                      "mails.*pending",
+                      "messages.*pending",
+                      "missed.*shipping.*notification",
+                      "missed.shipment.notification",
+                      "must.update.your.account",
+                      "new [sl][io]g?[nig][ -]?in from",
+                      "new voice ?-?mail",
+                      "notifications.*pending",
+                      "office.*3.*6.*5.*suspend",
+                      "office365",
+                      "on google docs with you",
+                      "online doc",
+                      "password.*compromised",
+                      "periodic maintenance",
+                      "potential(ly)? unauthorized",
+                      "refund not approved",
+                      "revised.*policy",
+                      "scam",
+                      "scanned.?invoice",
+                      "secured?.update",
+                      "security breach",
+                      "securlty",
+                      "signed.*delivery",
+                      "status of your .{314}? ?delivery",
+                      "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
+                      "suspicious.*sign.*[io]n",
+                      "suspicious.activit",
+                      "temporar(il)?y deactivate",
+                      "temporar[il1]{2}y disab[li]ed",
+                      "temporarily.*lock",
+                      "un-?usua[li].activity",
+                      "unable.*deliver",
+                      "unauthorized.*activit",
+                      "unauthorized.device",
+                      "unauthorized.sign.?in",
+                      "unrecognized.*activit",
+                      "unrecognized.sign.?in",
+                      "unrecognized.*activit",
+                      "undelivered message",
+                      "unread.*doc",
+                      "unusual.activity",
+                      "upgrade.*account",
+                      "upgrade.notice",
+                      "urgent message",
+                      "urgent.verification",
+                      "v[il1]o[li1]at[il1]on security",
+                      "va[il1]{1}date.*ma[il1]{2}[ -]?box",
+                      "verification ?-?require",
+                      "verification( )?-?need",
+                      "verify.your?.account",
+                      "web ?-?ma[il1]{2}",
+                      "web[ -]?ma[il1]{2}",
+                      "will.be.suspended",
+                      "your (customer )?account .as",
+                      "your.office.365",
+                      "your.online.access",
+  
+                      // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
+                      "account has been limited",
+                      "action required",
+                      "almost full",
+                      "apd notifi cation",
+                      "are you at your desk",
+                      "are you available",
+                      "attached file to docusign",
+                      "banking is temporarily unavailable",
+                      "bankofamerica",
+                      "closing statement invoice",
+                      "completed: docusign",
+                      "de-activation of",
+                      "delivery attempt",
+                      "delivery stopped for shipment",
+                      "detected suspicious",
+                      "detected suspicious actvity",
+                      "docu sign",
+                      "document for you",
+                      "document has been sent to you via docusign",
+                      "document is ready for signature",
+                      "docusign",
+                      "encrypted message",
+                      "failed delivery",
+                      "fedex tracking",
+                      "file was shared",
+                      "freefax",
+                      "fwd: due invoice paid",
+                      "has shared",
+                      "inbox is full",
+                      "invitation to comment",
+                      "invitation to edit",
+                      "invoice due",
+                      "left you a message",
+                      "message from",
+                      "new message",
+                      "new voicemail",
+                      "on desk",
+                      "out of space",
+                      "password reset",
+                      "payment status",
+                      "quick reply",
+                      "re: w-2",
+                      "required",
+                      "required: completed docusign",
+                      "ringcentral",
+                      "scanned image",
+                      "secured files",
+                      "secured pdf",
+                      "security alert",
+                      "new sign-in",
+                      "new sign in",
+                      "sign-in attempt",
+                      "sign in attempt",
+                      "staff review",
+                      "suspicious activity",
+                      "unrecognized login attempt",
+                      "upgrade immediately",
+                      "urgent",
+                      "wants to share",
+                      "w2",
+                      "you have notifications pending",
+                      "your account",
+                      "your amazon order",
+                      "your document settlement",
+                      "your order with amazon",
+                      "your password has been compromised",
+  )
+  
+  // language attempting to engage
+  and any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "request"
+  )
+  
+  // financial request
+  and any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "financial"
+  )
+  
+  // urgency request
+  and any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "urgency"
+  )
+  
+  // org presence
+  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")
+  
+  // not a reply
+  and (
+    not strings.istarts_with(subject.subject, "re:")
+    and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
+  
+  // the message is unsolicited and no false positives
+  and (
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
+  and not profile.by_sender().any_false_positives
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "056464f4-7a16-5f07-ab86-912e0a64ecae"