This rule analyzes inbound traffic URLs to detect obfuscation using the userinfo portion of a URL (the username) to hide a suspicious domain. The rule triggers when there is a non-null href_url.username that contains a dot, password field is null, and the domain or root_domain appears in lists of URL shorteners, free file hosts, free subdomain hosts, self service creation platform domains, or when the top level domain is in suspicious TLDs. It excludes legitimate email based hyperlinks by requiring that the parsed email domain is not valid for a hyperlink under certain parser conditions. It also excludes URLs with mailto or tel schemes, usernames that look like mail or tel to, unsubscribe parameters in the query, and UTM parameters. The intent is to detect obfuscated links used for credential phishing or malware/ransomware campaigns and to support evasion detection in inbound traffic. This rule uses URL analysis and content analysis methods.