How would you design a detection rule to identify credential stuffing attacks without generating excessive false positives?