This detection rule identifies malicious emails that contain links to the URL shortening service, bit.ly, which have been flagged or blocked. The rule significantly focuses on multiple parameters: firstly, it checks if the inbound email contains any links sourced from bit.ly, ensuring that the link does not forward to another domain and is effectively still routed through bit.ly. Additionally, it specifically identifies whether the link is blocked or gated as indicated by the text in the final domain's display text, looking for key phrases like 'link blocked' or 'flagged by'. The rule further adds complexity by negating certain highly trusted sender domains unless they fail DMARC authentication, provided that these senders are either not in the high trust list, or if they are but have failed DMARC checks. Furthermore, it uses sender profiling to filter out solicited messages or highlight senders with a history of malicious or spammy communication, while ensuring that there are no false positives recorded for those messages.