This detection rule is designed to identify messages that include links to spam websites exhibiting certain evasion techniques. The primary focus is to flag cases where the links have been associated with spam-related behavior, particularly when the source domain of the link differs from the sender’s domain. By analyzing the links within message bodies, the rule checks for unique root domains that are isolated to potential spam sites. Criteria include the absence of irrelevant domains, conditions ensuring that the domain is not a known legitimate service (`aka.ms`), and that it resembles a single spam pattern. Evasion behavior is determined through link analysis metrics, where observed patterns include notifications from the IP provider indicating blacklisting or standard rate limiting messages such as "Too Many Requests!" This helps in confirming the potential spam nature of the communication, thus triggering an alert for review.