diff --git a/detection-rules/link_self_sender_cred_theft_config_placeholder.yml b/detection-rules/link_self_sender_cred_theft_config_placeholder.yml
new file mode 100644
index 00000000000..87a71cf92ad
--- /dev/null
+++ b/detection-rules/link_self_sender_cred_theft_config_placeholder.yml
@@ -0,0 +1,28 @@
+name: "Link: Self-sender credential theft with configuration placeholder"
+description: "Detects messages where the sender and recipient are the same address, containing credential theft language and links with configuration placeholder text indicating a phishing lure."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // self sender
+  and length(recipients.to) == 1
+  and sender.email.email == recipients.to[0].email.email
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == 'cred_theft' and .confidence != 'low'
+  )
+  and any(body.current_thread.links,
+          strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
+                           '/*──── CONFIG: Replace with your lure URL ────*/'
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Natural Language Understanding"
+  - "Content analysis"
+  - "URL analysis"
+  - "Header analysis"
+id: "dbf2ce70-9637-5c05-a98c-5af01c687d17"