This detection rule is designed to identify potential abuse of SendGrid and similar services by capturing messages that contain specific patterns indicative of malicious intent. It targets messages with links that appear to be SendGrid-formatted but may instead serve no legitimate purpose. The rule particularly focuses on links that have a path indicating a click event (e.g., '/ls/click') and those that include parameters indicative of phishing attempts, specifically checking for the presence of a decoded 'upn'. More critically, it checks if the fragment of the URL contains base64-encoded data that has undergone zlib compression, commonly used by attackers to hide malicious payloads. The rule employs both content analysis and URL analysis methods, elevating its severity due to the considerable risk associated with credential phishing through legitimate platforms.