The rule detects inbound messages containing links to WordPress administrative paths (such as /wp-admin, /wp-content, /wp-includes, admin, xmlrpc.php, etc.) where the URL fragment (the portion after #) contains data that targets the recipient’s email address. It matches the URL path against common WordPress admin endpoints and then inspects the fragment for base64-encoded data that, when decoded, includes the recipient’s email address. If the fragment is not base64-encoded, it also checks for a direct appearance of the recipient’s email. This combination indicates a targeted credential phishing attempt or social-engineering spearphish designed to direct a specific recipient to a credential-collection page or similar trap, potentially evading detection by obfuscating the email in the fragment. The rule flags such activity as high severity and attributes it to Credential Phishing with evasion and social engineering techniques, employing URL and content analysis to identify suspicious inbound messages with targeted content.