This rule detects credential phishing attempts that abuse AWS Lambda URLs targeted at a specific recipient. It analyzes inbound emails and requires two conditions: (1) the recipient’s domain matches the sender’s local-part (i.e., personalized targeting), and (2) the email body contains at least one link whose domain includes a Lambda URL and whose fragment includes the recipient’s email address. The detection relies on content analysis (parsing the email body for links) and URL/domain analysis to identify Lambda-based phishing payloads. The approach leverages the perception of legitimate AWS Lambda endpoints (often free subdomain hosts) to bolster social engineering. Severity is set to medium. Attack types: Credential Phishing. TTPs: Free subdomain host, Social engineering. Detection methods: URL analysis, Content analysis. False positives may occur if legitimate Lambda links are used in allowed workflows or if URL fragments are coincidentally similar; mitigations include whitelisting trusted senders, validating Lambda URL usage in the organization, and supplementing with URL reputation checks and recipient verification.