The detection rule targets malicious emails containing unscannable Cloudflare links, focusing particularly on unsolicited messages. The rule analyzes both the content and the metadata of incoming emails to identify potential phishing attempts. It applies several conditions, including checking for suspicious keywords in the subject line or sender's display name that are commonly associated with phishing attempts, such as terms related to account termination, security alerts, or urgent requests for user action. Additionally, it ensures that links within the message body are not from the same domain as the sender and are less than ten in total. The rule also scrutinizes link analysis results to ensure that clickable URLs lead to Cloudflare links which cannot be scanned, either due to CAPTCHA or short body lengths indicating access barriers. The rule makes exceptions for recognized trusted domains, only flagging them when they fail DMARC authentication. The overall approach combines content analysis, header analysis, URL verification, and sender scrutiny, subsequently flagging messages that meet these criteria as medium severity threats.