This rule focuses on detecting potentially malicious messages that originate from new freemail accounts and direct recipients towards self-service creation platforms. It specifically identifies patterns of sender and recipient behaviors that may indicate phishing or fraud attempts. The rule is triggered when messages are sent from a freemail provider and meet certain conditions regarding recipient behavior, such as invalid email recipients, self-sending practices, or unusual configurations of CC/BCC fields. Furthermore, the rule detects links in the message body that lead to known self-service creation domains, particularly if the display text of such links is in all capital letters. The rule employs a series of logical conditions to evaluate the presence of suspicious elements, ensuring that only messages exhibiting these characteristics are flagged for further review.