This detection rule targets phishing attempts impersonating Coinbase, specifically focusing on messages with suspicious links. It identifies communications where the sender's email domain is not 'coinbase.com', filtering out cases where fewer than 1 and more than 4 links are present in the body of the message. The rule further assesses all links within the message to ensure none originate from Coinbase. The detection mechanism flags any links that belong to known URL shorteners or exhibit a low reputation, while effectively exempting trusted shorteners such as Google Maps. Additionally, the rule checks for any attachments containing images that feature the Coinbase logo, utilizing advanced logo detection algorithms. Implemented detection methods include web content analysis, file analysis, and machine learning for visual recognition. The entire process aims to mitigate the risk of credential phishing that arises through brand impersonation by identifying potentially harmful communications that could mislead users into divulging sensitive information.