This detection rule identifies messages that include links to newly created Adobe Express pages which may serve as landing pages for phishing attacks. The detection logic focuses on analyzing link patterns and the domains associated with them, filtering for those that are external to Adobe and meet specific risk criteria. Key indicators include the use of newly registered domains, links to known free file and subdomain hosts, URL shorteners, as well as links that lead to phishing pages or those that trigger CAPTCHA challenges upon access. The rule aims to proactively resist credential phishing attempts by monitoring and evaluating link behavior within message groups related to Adobe Express. By leveraging thorough link analysis, including a check on the age of the domains and sender prevalence, the rule effectively flags potentially malicious links intended for user deception.