Detects inbound emails containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components. Triggered when there is a single recipient with a valid domain and 1–9 hyperlinks formatted as hyperlinks. The rule searches for the recipient's address within the URL path, fragment, or base64-decoded segments of the path/fragment, then validates the link against a set of high-risk hosting and redirection domains (free file hosts, self-service platforms, URL shorteners) and suspicious top-level domains. It flags URLs with redirect-oriented patterns, hash fragments, or prohibited campaign parameters while excluding known legitimate services (e.g., SharePoint) and unsubscribe paths. Additional checks include age of the hosting domain (WHOIS days), absence of benign intents from an NLU classifier, and sender trust validations (DMARC). The intent is to identify credential phishing and malware distribution through personalized, targeted URLs and social-engineering tactics, primarily via URL analysis and header/content inspection."