This detection rule identifies potentially malicious messages that contain links utilizing referrer anonymization services, specifically those from untrusted senders. The rule is designed to catch messages from domains that either do not appear on a trusted domain list or have failed DMARC authentication checks even if they belong to a trusted domain. It performs several checks on the links found in the message body, looking for specific patterns associated with common referrer anonymization services like 'href.li' and mail client URLs used by certain email providers. The rule also filters out certain known safe domains and those that match the sender's domain if the sender has no past malicious messages. This conditional logic is aimed at reducing false positives while maintaining the integrity of threat detection for credential phishing and evasion tactics. Overall, the rule employs a blend of sender profile analysis, header, and URL examination to ascertain the likelihood of threat, helping to ensure the security of email communications.