This detection rule is designed to identify the use of inline images within messages as a technique for bypassing conventional content scanning mechanisms. Inline images, particularly in the form of Content-ID (CID) images, can mislead scanners into mistaking them for benign content. Research on attack patterns has indicated that this technique is frequently exploited in phishing attempts to deliver malware or phish user credentials. The rule assesses a message based on several conditions: it looks for messages with body text length under 200 characters that contain links; it excludes cases where inline PNG images are present due to parsing bugs; and it flags messages if they contain more than one attachment that is not classified as an image. Additionally, the rule considers the sender's profile to determine if they are new, an outlier, or have a history of sending malicious messages without false positives, which increases the reliability of the detection process.