This detection rule targets potential phishing attempts that utilize unscannable links to Vercel-hosted content, particularly from unsolicited senders. It analyzes messages by checking the number of links in the body to ensure they are fewer than 20 and checks for a limited variety of unique root domains to reduce the chance of legitimate content. Crucially, it verifies that none of the links originate from the same domain as the sender's email, while also looking for red flags in the subject line or display names that are associated with phishing, such as account terminations or requests for urgent actions. The rule negates any false positives from delivery status attachments and excludes messages from highly trusted sender domains unless they fail DMARC authentication. Additional checks include detecting scanned links that trigger Vercel's security block page. The overall aim is to identify and alert for suspicious messages that could lead to credential theft while reducing false positives.