diff --git a/detection-rules/link_multiple_http_protocols_in_single_url.yml b/detection-rules/link_multiple_http_protocols_in_single_url.yml
new file mode 100644
index 00000000000..bf35d18ae15
--- /dev/null
+++ b/detection-rules/link_multiple_http_protocols_in_single_url.yml
@@ -0,0 +1,19 @@
+name: "Link: Multiple HTTP protocols in single URL"
+description: "Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.current_thread.links) < 10
+  and any(body.current_thread.links, regex.icount(.href_url.url, 'http(s)?(%)?[^a-z]') >= 5 and .visible)
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"
+id: "92f9d241-ebd2-53b8-9c67-6f9ec3e263b8"