Detects inbound messages containing links where the host is a numeric-only IP representation (7–12 digits) in the URL host portion, a common evasion technique to bypass domain-based URL filters. The rule analyzes inbound content and extracts links from the message body, applying a regex against the href_url.url to identify URLs that start with http or https and use a numeric host (e.g., http(s)://123456789/...). When matched, it raises a detection with potential phishing or malware/ransomware delivery via obfuscated IP addresses. This technique complements traditional URL reputation checks by catching attempts that avoid domain blocks. The rule is categorized under evasion and has a medium severity, with attack types including Credential Phishing and Malware/Ransomware. Primary detection method is URL analysis. Recommendations include alerting, quarantining suspicious messages, and correlating with sender reputation and payload characteristics to reduce false positives. Be aware that some legitimate IP-based hosts exist; rely on additional signals (sender, payload type, destination) to determine risk and trigger appropriate containment.