diff --git a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
new file mode 100644
index 00000000000..78351fb932a
--- /dev/null
+++ b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
@@ -0,0 +1,29 @@
+name: "Suspicious TLD in headers with SPF/DMARC failures or high confidence credential theft"
+description: |
+  Flags inbound emails with suspicious TLDs in the headers, SPF/DMARC failures, or high-confidence credential theft indicators
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(headers.domains, .tld in $suspicious_tlds and .tld != sender.email.domain.tld)
+  // SPF Errors/Failures or DMARC Fail
+  and (
+    any(distinct(headers.hops, .received_spf.verdict is not null),
+        regex.icontains(.received_spf.verdict, "fail|error")
+        or any(distinct(headers.hops, .authentication_results.dmarc is not null),
+               strings.ilike(.authentication_results.dmarc, "*fail")
+  
+               // Or Cred_theft confidence High
+               or any(ml.nlu_classifier(body.current_thread.text).intents,
+                      .name in ("cred_theft") and .confidence == "high"
+               )
+        )
+    )
+  )
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+detection_methods:
+  - "Header analysis"
+  - "Natural Language Understanding"
+id: "e8696023-4a1e-542a-8c22-784a3d33c7a4"