This detection rule identifies potential phishing attempts targeting users through fraudulent hotel booking links. It focuses on messages containing URLs with display formats resembling legitimate hotel booking services, specifically checking for links that redirect to different domains than advertised. The rule applies various conditions to flag suspicious activities, such as the use of abnormal query parameters typically associated with scams, or redirections to domains that are recently registered (less than 30 days old). It also ensures that the message sender does not represent a valid domain related to genuine bookings, thus enhancing the detection of potential fraud. By analyzing both the displayed and actual URLs, alongside sender verification, this rule helps mitigate risks associated with Business Email Compromise (BEC) and credential phishing perpetrated through deceptive messaging.