Detects inbound messages that reference a single root domain across all links, where at least one link follows a suspicious path pattern. Specifically, the rule requires (1) the message to contain only one distinct root domain across all href URLs, (2) at least one link whose path matches /<lowercase letter>/<32 alphanumeric characters> and whose domain has a 3-letter subdomain, and (3) HTML cues consistent with financial lure tactics: an anchor with color #4fb077 and display text containing cash offer, or display text such as confirm info or view rates with an overall HTML background color of #007bc2. The rule uses URL analysis, HTML analysis, and content analysis to flag potential phishing that relies on templated deceptive messages. Severity is medium, with detection oriented toward spam and social engineering.