This rule is designed to detect potential credential phishing attempts by analyzing URL paths in incoming emails. It specifically identifies instances where the recipient's second-level domain (SLD) appears multiple times within the URL path. Such patterns have been commonly observed in phishing campaigns designed to deceive users, particularly those utilizing multiphactor authentication (MFA) enrollment lures. The detection process incorporates a multi-faceted approach: first, it ensures that the sender is not regarded as a trusted source by confirming the sender's domain against a list of high-trust domains. If the sender's domain fails the trust evaluation or is untrusted, the rule proceeds to analyze the body of the email. It constructs a distinct list of the recipient's SLDs and checks for the presence of these SLDs concatenated together in the URL paths provided within the email. By detecting such patterns, the rule aims to flag potentially malicious links that may lead to credential theft or further phishing attempts against users.