diff --git a/detection-rules/link_credential_phishing_copy_paste_instructions.yml b/detection-rules/link_credential_phishing_copy_paste_instructions.yml
new file mode 100644
index 00000000000..586e2551183
--- /dev/null
+++ b/detection-rules/link_credential_phishing_copy_paste_instructions.yml
@@ -0,0 +1,34 @@
+name: "Link: URL shortener with copy-paste instructions and credential theft language"
+description: "Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and length(body.current_thread.links) > 0
+  and all(body.current_thread.links,
+          .href_url.domain.root_domain in $url_shorteners
+  )
+  and (
+    strings.icontains(body.current_thread.text, 'copy')
+    and (
+      strings.icontains(body.current_thread.text, 'pasting')
+      or strings.icontains(body.current_thread.text, 'paste')
+    )
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == 'cred_theft' and .confidence == 'high'
+  )
+  // negate display urls that match the sender root domain
+  and not any(body.current_thread.links,
+              .display_url.domain.root_domain == sender.email.domain.root_domain
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "URL analysis"
+id: "a0a2c573-3686-590e-8715-fc4a32202c92"