This detection rule is designed to identify phishing attempts that utilize the 9WOLF service for initial landing pages. Specifically, it monitors inbound links for the presence of the query parameter '?ai=xd', which is characteristic of URLs associated with 9WOLF phishing campaigns. The rule employs a method that checks if any links in the monitored content contain this specific URL pattern. It is categorized under the severity level 'high' due to the potential for significant harm stemming from successful phishing attacks that could compromise user credentials or distribute malware. The detection leverages URL analysis and threat intelligence to enhance the accuracy of identifying such patterns, and it falls under the attack type of 'Malware/Ransomware', as phishing is often a precursor to these more severe threats. The rule also relates to the tactic of 'Evasion', as attackers continuously evolve their techniques to bypass traditional security measures.