This detection rule identifies fraudulent communications related to cryptocurrency and bitcoin that contain links to suspicious domains. The rule utilizes inbound message analysis to detect the presence of financial terms and the associated links, looking for patterns commonly associated with scams. It checks if the text includes high-risk keywords like 'cryptocurrency' or 'bitcoin' while excluding benign communications categorized under certain topics. Furthermore, it assesses the links for indicators of fraud, such as certain suspicious top-level domains (TLDs), newly registered domains, and specific link behaviors indicative of scam tactics. A thorough examination of the links is performed through analysis modes that check redirect history, script behaviors, and malicious patterns in JavaScript that may suggest their involvement in delivering fraudulent content. The rule also negates false positives from legitimate cryptocurrency platforms by checking the sender’s domain against a whitelist. Consequently, it effectively aims to minimize the risk of falling for cryptocurrency scams and protects users against these evolving threats.