This rule is designed to detect potential phishing attempts by identifying links that contain recipient email addresses within the 'eta' parameter of a URL. This technique is commonly employed by attackers to personalize malicious links and improve their effectiveness by tracking specific targets. The rule evaluates inbound traffic, ensuring that there is only one recipient in the emails being analyzed. Within the detected links in the email body, the rule searches for URLs where the 'eta' parameter is the sole query element. The detection logic then verifies if the value of the 'eta' parameter includes the domain of the recipient’s email address, which indicates that specific phishing links could be targeting that user. Additionally, it checks for instances where the value of the 'eta' parameter may be encoded in base64, ensuring broader detection coverage against obfuscation techniques. The high-severity level of this rule emphasizes the need for immediate attention due to the associated risk of credential phishing attacks.