This detection rule is designed to identify messages that contain links to the file hosting service catbox.moe, particularly when such links are sent from untrusted sources. The rule operates by evaluating incoming messages for the presence of any hyperlinks that correspond to catbox.moe, while ensuring that the path of the link does not end in '.json'. It specifically targets senders who do not fall within a set of highly trusted domains or those who have failed DMARC authentication checks. The rule checks if the sender’s domain either does not belong to the trusted domains or belongs to them but has failed DMARC, thus potentially indicating malicious intent behind the link sharing. This detection strategy aims to mitigate risks associated with file sharing from untrusted sources, particularly in the context of malware and ransomware threats that could exploit such file hosting services.