This detection rule is designed to identify potentially malicious messages that include links to executable files in conjunction with high-confidence indicators of security concerns, financial risks, or credential theft content. It specifically searches for inbound messages that contain fewer than 10 links and evaluates each link for common executable file extensions, such as .exe or .app, ensuring that the display text does not misleadingly suggest safety. The rule employs various filters to exclude links from high-trust domains, particularly those with valid DMARC authentication, ensuring that only potentially dangerous messages are flagged. The rule also assesses the context of the message, looking for particular topics and intents related to security, finance, and credential theft that demonstrate a high level of confidence in the threat. By implementing these filters and analyses, the rule reduces false positives while effectively targeting harmful communications that pose risks of credential phishing and malware delivery.