This detection rule identifies links in incoming messages that have display text containing an excessive number of right-to-left mark (RLM) Unicode characters (U+200F). These characters can potentially be used to obfuscate the actual text of the link, creating confusion or misleading impressions about the content it points to. The rule applies when the count of links in the message body is fewer than 10, making it more focused on specific cases where such deceptive practices might occur. The regex pattern checks for sequences where two or more RLM characters are sandwiched between Latin letters, indicating an attempt to manipulate the visual presentation of the link text. The low severity suggests that while it's a significant indicator of potential phishing attempts, it may not always represent high-risk threats. This rule aims to enhance phishing detection by analyzing link text patterns in user communications, contributing to better protection against credential phishing attacks.