Detects inbound messages that contain links using a mixed-case HTTPS protocol (hTTPs) to evade detection. The rule fires when there is at least one link in the message body and any link's href_url.url contains the exact substring 'hTTPs://'. By combining content analysis (inspecting message structure) with URL analysis (checking the link URL content), it targets obfuscation techniques often used in credential phishing and malware delivery. This heuristic helps surface attempts to bypass case-insensitive filters and trigger alerts for potential phishing or malware campaigns. Reference ID f3424a81-3843-5a3e-8fc8-126cf7037cfa.