The detection rule 'Link: Webflow Link from Unsolicited Sender' is designed to identify potentially malicious messages containing links to the domain webflow.io, particularly when such links are sent by unsolicited senders. The rule leverages several input criteria including the presence of links to webflow.io, which is a free service for creating websites and hosting files. Threat actors have exploited this service to create phishing landing pages intended to deceive users into providing their credentials. The detection utilizes conditional logic to ascertain the validity of the sender, analyzing sender trustworthiness and historical message behavior to determine if the link presents a phishing risk without being falsely classified as spam. The rule employs a combination of content analysis, URL analysis, and sender analysis to effectively monitor and safeguard against callback phishing techniques that rely on free hosting services.