diff --git a/detection-rules/impersonation_microsoft_credential_theft.yml b/detection-rules/impersonation_microsoft_credential_theft.yml
new file mode 100644
index 00000000000..dbdecacfa57
--- /dev/null
+++ b/detection-rules/impersonation_microsoft_credential_theft.yml
@@ -0,0 +1,74 @@
+name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
+description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    length(attachments) > 0
+    and (
+      all(attachments, .file_type in $file_types_images or .file_type == "pdf")
+      or length(attachments) == 0
+    )
+  )
+  and any(ml.logo_detect(beta.message_screenshot()).brands,
+          strings.starts_with(.name, "Microsoft")
+  )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence in ("medium", "high")
+    )
+    or (
+      length(body.current_thread.text) == 0
+      and any(file.explode(beta.message_screenshot()),
+              any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                  .name == "cred_theft" and .confidence in ("medium", "high")
+              )
+      )
+    )
+  )
+  and (
+    not (
+      headers.auth_summary.dmarc.pass
+      and headers.auth_summary.dmarc.details.from.domain in (
+        "azureadnotifications.us",
+        "microsoft.com",
+        "sharepointonline.com",
+        "cloudappsecurity.com",
+        "microsoftsupport.com",
+        "microsoft.onmicrosoft.com",
+        "yammer.com"
+      )
+    )
+    or headers.auth_summary.dmarc.pass is null
+    or headers.auth_summary.dmarc.details.from.domain is null
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().any_false_positives
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
+testing_pr: 2106
+testing_sha: 6b9836d00dbdd652b77ec1602a2db399d1f023e4