This detection rule identifies inbound email messages that contain a Squarespace tracking link sourced from engage.squarespace-mail.com but do not possess the expected Squarespace email headers or sender characteristics. The primary goal is to detect potential phishing or spam campaigns that impersonate Squarespace to deceive recipients. The rule ensures that only messages with a single Squarespace link are considered, along with checks for the absence of legitimate Squarespace email domains in the return path and headers. Additionally, it assesses the sender's email prevalence to filter out common legitimate senders, thereby enhancing the accuracy of detecting potentially malicious messages.