This threat detection rule identifies messages that include a specific pattern of triple asterisks (`***`) surrounding HTTP links pointing to PHP index pages with query parameters. The detection is primarily focused on messages that lead to potential scams, such as Fake Antivirus (FakeAV) schemes and Tech Support scams. The rule employs several conditions to ascertain messages of interest: it checks that the message body contains exactly two occurrences of triple asterisks, includes a valid HTTP link, and specifically looks for URLs structured as '/index.php?' along with a regex matching the expected pattern. This analysis aids in recognizing social engineering attempts where attackers lure victims into interacting with malicious links, thus enhancing protective measures against malware and phishing attempts.