This detection rule targets a specific phishing technique where malicious links are crafted to include a subdomain formatted as a 40-character hexadecimal string. Such links often encode a victim's email address using Base64, which is then appended in the URL fragment. The primary goal of this method is to personalize the attack, increasing its chances of evading spam filters and detection systems. The rule evaluates inbound traffic for any links that meet the following conditions: firstly, the subdomain must be exactly 40 characters long, consisting solely of hexadecimal characters (0-9, a-f). Secondly, the URL fragment must match a Base64-encoded version of the recipient's email address. Given the potential for high-impact credential phishing attacks utilizing this technique, the severity of the rule is classified as high. The detection employs URL and content analysis methods to identify these patterns, helping to flag potentially malicious communications before they reach the target.