This detection rule identifies spam emails that originate from free email providers and contain a high volume of URL shorteners and emojis. The primary conditions for this rule include: 1) the sender must belong to a predefined list of free email providers; 2) the email body should predominantly consist of links that fall under known URL shortener domains; 3) the length of the email body must be less than 100 characters to indicate little textual content outside of the link; and 4) the presence of emojis either in the subject line or the email body, which can be identified through regex patterns that match common emoji Unicode ranges. Additionally, the rule evaluates the sender’s profile to determine if they are new or outlier senders, or if they've sent any previous messages that are classified as spam or malicious without any prior false positives. Given its low severity, this rule serves as an effective mechanism to filter potentially deceptive emails without generating excessive alerts.