This detection rule identifies potentially malicious links that contain obfuscated JavaScript code along with embedded Telegram bot tokens, which may indicate attempts at data exfiltration or the establishment of command and control (C2) infrastructure. It focuses on inbound communications where the number of links is between 1 and 14, there is exactly one recipient, and the recipient's email domain is validated. The detection leverages regex patterns to detect the presence of JavaScript obfuscation signatures typical of malicious scripts and specific patterns indicative of Telegram bot tokens and API references. The rule aims to enhance security monitoring by flagging suspicious link activities that could be associated with credential phishing attacks and malicious scripting attempts.