This detection rule targets potential unauthorized data staging attempts within a Snowflake environment by detecting specific `COPY INTO` queries that lack an appropriate URL pattern. The logic inspects the `query_history` for recent queries executed in the last two hours that start with `COPY INTO`, but do not include a valid destination format. The absence of a correct URL pattern after `COPY INTO` may indicate an attempt to stage sensitive information internally or exfiltrate data improperly. The detection is particularly relevant in scenarios associated with threat actor UNC5537, known for data theft and extortion involving Snowflake, linked with the software named "rapeflake." The rule may help organizations identify and mitigate risks related to internal data movement activities that could lead to data breaches.