This detection rule identifies URLs that have been obfuscated across multiple HTML anchor tags in order to evade URL analysis tools and prevent detection by security systems. The specific technique involves splitting the URL scheme (http or https) across separate anchor elements, where each part of the URL is encapsulated within its own anchor tag. For example, a malicious URL may appear visually as a normal link to a user, rendered as <a>h</a><a>ttp://malicious.com</a>. Such obfuscation strategies can successfully evade conventional security tools that expect complete, singular URLs, making this a common tactic in credential phishing campaigns and attacks stemming from compromised email accounts. This evasion technique was notably observed in real-world credential phishing attempts between 2024 and 2025, highlighting the increasing sophistication of attackers in bypassing URL extraction mechanisms. Therefore, this rule leverages methods such as content, HTML, and URL analysis to detect these crafted URLs and issue alerts when potential obfuscation patterns are identified.