This rule is designed to detect URLs that contain five or more HTTP protocol declarations within a single link, a technique often employed in URL manipulation or obfuscation. The detection operates by analyzing inbound messages for links that meet specific criteria. It focuses on threads containing fewer than 10 links, searching for links that are not labeled 'unsubscribe' in either their displayed text or actual URL. The rule utilizes regex to examine the query parameters of these links and count the number of distinct domain names involved in the URLs. If the count of unique domains in the URL query parameters is three or more, coupled with the presence of three or more HTTP URLs, the message is flagged for further inspection. The severity is marked as medium, indicating that while this is not a pervasive threat, its presence can signify more sophisticated methods of phishing or malware attempts. This rule provides valuable contributions to the organization's attack surface reduction efforts by highlighting potential credential phishing and malware/ransomware attacks that might circumvent standard detection methodologies through clever obfuscation of links.