Detects inbound emails that contain a hyperlink with a URL path containing the substring '/getfile/filefor' and that path also embeds the recipient's email address. This pattern aligns with targeted file delivery or credential harvesting attempts (spear-phishing via a personalized download link). Detection relies on URL analysis of the anchor href path and cross-checking against the message recipient’s address. The rule is labeled high severity and maps to Credential Phishing with social engineering tactics. It helps identify adversaries attempting to deliver a tailored file or prompt credential disclosure by directing specific users to a download page. False positives may arise from legitimate file-sharing portals or internal workflows that reuse similar URL paths; correlation with sender reputation, domain assessment, and recipient context can mitigate noise. Consider augmenting with domain reputation checks, recipient whitelists, and user behavior analytics to improve precision. (MITRE alignment: T1566.001 Spearphishing Link.)