This detection rule is designed to identify potentially malicious spam messages that include links to 'blob.core.windows.net' which are sent from newly established domains that are less than 30 days old. The rule specifies that only one recipient should be present in the message, and it must be an email address that does not belong to the organization. The underlying logic entails checking the following conditions: the sender's domain must be new (under 30 days), the message should contain fewer than three links, and at least one link should point to 'blob.core.windows.net'. Additionally, the sender's profile must have a history of not being solicited for such emails, or must display characteristics indicative of past malicious or spam activity while having no false positives recorded. This rule helps preempt phishing and spam attacks leveraging newly registered domains and commonly abused services such as Microsoft Azure's blob storage.