This rule detects suspicious messages received from Firebase hosting domains characterized by randomly generated subdomains. It identifies such messages based on several indicators of potential abuse, including the presence of emojis, specific spam-related keywords, unusual link patterns, or the use of freemail registrant information. For effective identification, the rule employs multiple checks: 1) It checks if the sender's email domain is from "firebaseapp.com" and follows the required subdomain format. 2) It ensures that the message contains links and that there are suspicious elements within the body or subject of the message. 3) The rule looks for spammy keywords often found in phishing attempts. 4) It evaluates the HTML content for suspicious structures, such as links without tracking parameters or links tied to freemail accounts. Overall, the rule aims to reduce the attack surface by flagging likely spam or credential phishing attempts that exploit Firebase's infrastructure.