This detection rule targets URLs that link to the Keap App's contact us page, a site that has previously been exploited for hosting malicious content due to its reputable domain status. It checks the contents of inbound requests where there are fewer than ten links, ensuring that the presence of a link to the Keap App contact page is scrutinized. The rule looks for traditional links that start with '/contact-us/' as well as links that may be encoded within query parameters, which is a common technique used in open redirect attacks. The filter ensures the extraction of only unique instances of such links to mitigate the risk of false positives. The identification of potentially malicious engagements involving the contact link signifies risks associated with credential phishing and malware attacks, making this rule vital for enhancing overall security posture.