This detection rule identifies DOCX attachments that include hyperlinks specifically crafted to target the email addresses of recipients. By analyzing the structure of these DOCX files, the rule looks for the presence of <w:hyperlink tags that contain anchor references (w:anchor) matching the recipient's email address. This technique is frequently employed by malicious actors to personalize the content of documents in order to trick users into either clicking on a link or executing embedded scripts, thus evading conventional detection mechanisms. The detection process involves filtering inbound attachments for specific file types (.docx and .docm) and scrutinizing the document's internal strings for malicious hyperlink patterns. If a match is found that links to the recipient's email or a base64-encoded variant, an alert will be triggered, categorizing this potential threat under credential phishing and malware delivery tactics. This rule exemplifies proactive threat detection by monitoring for social engineering attacks that leverage trusted document formats to deliver malicious content.