This rule detects inbound messages that include links targeting the '/moni/index' path. It matches either the URL path portion (href_url.path containing '/moni/index') or decoded query parameters (href_url.query_params_decoded containing '/moni/index'), and it also flags the exact path '/moni'. These patterns have been observed in credential phishing campaigns where attackers leverage open redirects or obfuscated links to steal credentials. The detection uses URL-analysis of inbound content to identify malicious link usage within message threads (body.current_thread.links) and href_url fields. The goal is to alert on potentially credential-phishing links before they can deceive users. If a match is found, a high-severity alert is generated. Potential false positives could arise from legitimate internal tooling or documentation that uses similar '/moni' endpoints; environment-specific tuning may be needed. Mitigations include validating external links in inbound messages, applying strict allowlists for internal paths, user-education on phishing indicators, and monitoring for open redirect patterns in URLs.