This detection rule assesses emails that contain links shortened with Twitter's link shortener (t.co) when originating from non-Twitter domains, a method commonly used in phishing and spam attacks. The rule checks if the number of links in the email body is less than 10 and confirms that at least one link points to t.co. It further verifies that the email sender does not originate from typically trusted Twitter domains like twitter.com, x.com, or twitter.discoursemail.com. The sender's reputation is also examined; if the sender has a negative history of malicious or spam messaging, the rule triggers a detection. Lastly, it incorporates a layer of verification against high-trust domains, ensuring that those failing DMARC authentication are flagged, while also maintaining an exception for low-trust domains. This multi-layered approach helps in accurately identifying potential threats without generating excessive false positives.