Detects inbound messages that use link display text containing RFI (Request for Information) document reference patterns to lure recipients into following links. The rule scans the first-thread collection of links (body.current_thread.links), and for any link whose display_text matches the pattern RFI-<1–5 digits>-<1–5 digits>-<1–5 digits> (bounded by word boundaries), it triggers only if the link text does not match longer, common date-like formats RFI-<2 digits>-<2 digits>-<4 digits> or RFI-<4 digits>-<2 digits>-<2 digits>. Additionally, the message must have fewer than 11 links (length(body.links) < 11) to reduce noise. This combination targets social engineering and BEC/fraud attempts that impersonate formal RFIs while filtering out legitimate or template-like references. Detection methods include Content analysis (examining the text of the link display) and URL analysis (assessing the associated link). The rule is aligned with Web/Network contexts typical of inbound communications.