This rule is designed to identify potentially malicious email messages that attempt to impersonate Truth Social by including links to 'links.truthsocial.com' while originating from non-Truth Social domains. The rule leverages multiple checks to filter through inbound emails: it first confirms that the email body contains fewer than ten links and that at least one of these links corresponds to the specified Truth Social domain. Additionally, it ensures the sender's email domain is not a legitimate 'truthsocial.com' domain. The rule enhances detection accuracy by analyzing the sender's email profile, looking for prior incidences of malicious or spam activity while excluding false positives. Emails from highly trusted sender domains are neglected unless they fail DMARC authentication, ensuring that the rule avoids flagging legitimate communications erroneously. By combining content analysis, sender analysis, and URL validation, this rule effectively targets email-based scams using the Truth Social brand as a vehicle for phishing attempts, malware, or spam.