This rule targets inbound email messages that contain a link displayed with a non-standard port in the URL (specifically :8443). It activates for inbound messages that either have no previous threads or appear to be a fake thread (no references or in-reply-to, and certain subject thread states). The detection triggers if any link in the message body has a display URL containing ":8443" and the domain referenced by the link’s href URL is 365 days old or newer. To reduce false positives from legitimate digest mailers, it excludes emails from noreply-spamdigest@google.com when DMARC passes. The rule leverages URL analysis and domain age (via whois) to flag potential phishing or malware hosting infrastructure using non-standard ports, which are often employed to evade standard filters. Keywords emphasize the port angle and phishing evasion, and the rule is categorized under evasion techniques with detection primarily through URL analysis. Potential limitations include legitimate services using port 8443 in display URLs or domains aged under a year that are legitimate; obfuscated or shortened URLs may also reduce detection effectiveness.