This rule flags inbound emails that contain shortened URLs for which the URL fragment is echoed in the email subject. It scans the message body for links, checks that the link's domain root matches known URL-shortening services (from the $url_shorteners list), ensures the fragment exists, and confirms the subject line contains that fragment. By requiring the fragment to appear in both the URL and the subject, the rule targets targeted link tracking and social engineering campaigns (often used in credential phishing or BEC scenarios). The detection relies on content analysis of the email body and subject, URL analysis of the hyperlinks (domain and fragment), and related header cues from inbound mail. When matched, the rule raises a medium-severity alert and aligns with Credential Phishing and BEC/Fraud tactics. Operational considerations include maintaining an up-to-date $url_shorteners list (e.g., bit.ly, t.co, etc.) and ensuring inbound mail data exposes body.current_thread.links and subject.subject for analysis. To reduce false positives, consider additional context such as sender reputation, DKIM/SPF alignment, and recipient-specific heuristics.