This detection rule focuses on identifying potential abuses of the Formester service, which has been associated with credential phishing attacks. It triggers alerts under specific conditions where links redirect to suspicious or malicious destinations, particularly those involving credential theft. The rule employs a multi-faceted approach to link analysis, assessing both the URL structure and encountered text for common phishing indicators. Key checks include links leading to domains with suspicious top-level domains (TLDs), links with known phishing behaviors, and the presence of specific verbiage such as 'secure message' that may suggest fraudulent activity. Additionally, if the form service in use aligns with known patterns of abuse (such as keywords involving Microsoft 365), this context will also activate detection. Overall, the rule emphasizes both technical URL characteristics and social engineering cues, effectively covering a broad spectrum of potentially harmful link behaviors.