This detection rule identifies malicious ClickUp documents that may contain links to suspicious external domains. It specializes in detecting documents that include redirects to potentially harmful sites, such as phishing pages, or links to new and untrusted domains, free file hosting services, and URL shorteners. The rule checks for specific strings that indicate a page is unavailable as a form of evasion. It utilizes a combination of WHOIS data to determine the age of domain names, URL analysis to detect links that do not belong to the trusted ClickUp domain or defined organization domains, and aggressive link analysis to classify links based on their phishing potential. The rule also looks for indicators of actions like viewing or downloading, which are common in phishing attempts, and checks for captcha occurrences or redirects to known safe domains. This comprehensive approach allows for high confidence in detecting and preventing potential credential phishing and malware dissemination through ClickUp links in documents.