This detection rule monitors incoming messages for links that redirect to blob URLs, which can indicate attempts at malware delivery or credential harvesting. It is suited for medium-severity threats and employs several conditions to operate effectively. The rule focuses on messages with less than 10 links and exactly one recipient with a valid email domain. By analyzing the URLs in the messages, particularly examining if any of them lead to a scheme labeled 'blob', this rule leverages link analysis to spot possible threats. It integrates various detection methods, including sender and URL analyses, as well as threat intelligence to enhance its effectiveness against common attack types such as credential phishing and malware or ransomware distribution. The rule aligns with specific tactics and techniques such as evasion tactics, free file hosting exploitation, and open redirects.