This detection rule identifies potentially malicious standalone Ludus document links that incorporate suspicious embedded links. It specifically focuses on links targeting Microsoft services and employs various evasion techniques commonly associated with phishing attacks. The rule inspects the structure of the presentation content, ensuring it contains only one link to the presumed safe domain 'ludus.one'. It further scrutinizes the linked URLs for specific patterns, such as suspicious top-level domains and the presence of well-known keywords associated with credential theft. By analyzing the link redirect history and employing machine-learning models to assess the likelihood of phishing, the rule aims to uncover sophisticated attempts to deceive users into revealing sensitive information. Additionally, it accounts for the domain reputation of the sender by verifying whether highly trusted domains fail DMARC authentication.