This detection rule identifies messages containing links to Google Apps Script macros, which can potentially lead to security threats. Google Apps Scripts allow users to run arbitrary code within Google services, and malicious actors may exploit this functionality to redirect users to harmful websites. The rule specifically looks for inbound messages that include links from the domain 'script.google.com' and have paths that begin with '/macros'. Furthermore, it considers the receiver's profile—the rule activates if the sender's profile is categorized as new or an outlier. It also triggers if the sender has a history of sending malicious or spam messages but no false positives. This layered approach combines sender and URL analysis to effectively counteract potential threats from unsolicited macro links.