This detection rule identifies malicious links that contain a specific query parameter 'rid', which consists of a 7-character alphanumeric string. It is designed to catch potential phishing and malware delivery attempts without false positives from legitimate tracking links, particularly those from well-known sender domains like 'vtiger.com'. The rule filters out messages based on links included in the email body and assesses the structure of the links, ensuring they do not belong to high-trust sender domains or appear benign due to historical analysis. It incorporates regex checks to ensure the 'rid' value meets the specified criteria, such as its length and composition, while also checking the number of parameters in the query string to avoid overly lengthy or complex URLs that may obscure tracking intentions. By focusing on URLs that do not comply with these safety checks, the rule aims to mitigate risks from credential phishing and ransomware attempts.