This detection rule identifies messages containing links that point to sensitive and hidden directories commonly targeted by attackers, such as .git, .env, and .well-known. These directories may contain sensitive configuration files, and unauthorized access to them can lead to credential theft and exploitation of the server environment. Attackers often use these paths to hide phishing landing pages that impersonate legitimate services. The rule activates when it detects inbound messages with up to ten links, analyzing each link for matches against known sensitive directory patterns. Additionally, it evaluates the sender's domain against trusted domains, ensuring links from trusted senders that pass DMARC authentication are not flagged, focusing only on potentially malicious sources. This approach helps to reduce false positives by considering the context of the sender's reputation.