diff --git a/detection-rules/link_self_sender_cred_theft_sus_tlds.yml b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml
new file mode 100644
index 00000000000..faac03583fe
--- /dev/null
+++ b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml
@@ -0,0 +1,34 @@
+name: "Link: Self-sender credential theft with suspicious TLD"
+description: "Detects messages where the sender and recipient are the same, DMARC authentication passes, but the message contains links to suspicious top-level domains and shows machine learning indicators of credential theft intent."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // self sender
+  and sender.email.email == recipients.to[0].email.email
+  // auth passes
+  and coalesce(headers.auth_summary.dmarc.pass, false)
+  // link is suspicious tlds
+  and any(body.links,
+          .href_url.domain.tld in~ $suspicious_tlds
+  //  and sender.email.domain.tld == .href_url.domain.tld
+  )
+  // ML signals credential phishing
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == "cred_theft" and .confidence != "low"
+  )
+  // exclude json attachments from legit services
+  // all will provide samples without attachments as well
+  and all(attachments, .file_extension != "json")
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+  - "URL analysis"
+  - "Natural Language Understanding"
+  - "Threat intelligence"
+id: "2221809b-f2d3-5323-973c-9fe46a969660"