This rule detects inbound messages in Portuguese or Spanish that reference tax documents and direct users to suspicious domains. It enforces that there is exactly one recipient with a valid domain and that there are 1–14 links (parsed as hyperlinks). The body text is checked for tax-document phrases in Portuguese and Spanish. It flags links to domains associated with URL shorteners, free file hosts, free subdomain hosts, self-service domain creation platforms, or domains that are recently registered (per Whois, days_old < 30). Trusted domains such as sharepoint.com and box.com are exempted. The subject is checked for indicators such as nf, a 7–10 digit number, or nota fiscal. The rule tries to minimize false positives by excluding highly trusted senders if DMARC authentication passes. Attack focus includes BEC/Fraud, credential phishing, and malware/ransomware delivery. Detection methods include content analysis, URL analysis, and Whois lookups. The rule emphasizes social engineering and abuse of free hosting/subdomain services to lend credibility to the lure.