This rule detects inbound messages containing URL shortener links that redirect to a Windows search-ms protocol query designed to locate local .lnk shortcuts. It requires two conditions: (1) at least one link whose href domain is in the configured URL shorteners list, and (2) at least one link whose final DOM resolves to a search-ms: query that includes a .lnk file. The combination indicates an attempt to trigger a local file search on a Windows host, potentially to discover or leverage shortcut files for further compromise. The rule leverages URL analysis and aggressive link analysis to dereference the final DOM and confirm the search-ms query pattern, classifying the activity under evasion and scripting techniques with Malware/Ransomware implications. It is a high-severity detection aimed at preventing attackers from using search-ms to locate sensitive files or shortcuts from a message payload before delivering a payload or executing a local action.