This detection rule identifies inbound messages that contain .onion links, which are part of the Tor network, sent from unsolicited senders. The rule specifically flags such messages if they either lack proper DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication or originate from domains that are not classified as trusted. The logic of the rule employs multiple conditions to filter messages: it checks if the message type is inbound, verifies the existence of .onion links within the message, and confirms that the sender is not a solicited contact. Additionally, it evaluates the sender's email domain against a list of high trust sender root domains; if the domain is classified as high trust but fails DMARC checks, it still raises an alert. If the sender's domain is not in the high trust list, the rule also triggers an alert, highlighting potential phishing attempts or malware distribution that could come through these Tor network links.