This rule detects inbound messages containing a link to an SVG resource where the recipient’s email address is embedded in the URL. It evaluates inbound content (body.links) and filters for links whose href_url.path ends with .svg. For each recipient in the To list, it requires that the recipient’s email has a valid domain, and then checks the URL for targeting signals: the recipient’s email appearing in the URL as plain text, or encoded as base64 within the URL (using scan_base64 with format="url", ignore_padding=true). If such a pattern is found for any recipient, the rule fires. The intent is to identify spear-phishing or tracking mechanisms that tailor SVG resources to individual recipients, a tactic to bypass generic link scanning and facilitate credential phishing or targeted malware delivery. The detection relies on URL analysis (href_url.url and path suffix) and content analysis (presence of the recipient’s email or base64-encoded form within the URL). While effective against evasion attempts, this rule may yield false positives in legitimate personalized campaigns or analytics links that legitimately incorporate recipient identifiers. Consider additional context checks (sender domain, DKIM/SPF results) and correlation with other indicators to bolster confidence and reduce noise.