diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml
new file mode 100644
index 00000000000..900a8888728
--- /dev/null
+++ b/detection-rules/link_financial_document_timeline_template.yml
@@ -0,0 +1,72 @@
+name: "Link: Generic financial document and suspicious hosting template"
+description: "Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // standard generic greeting
+  and (
+    strings.istarts_with(body.current_thread.text, "dear sir/madam")
+    // expectation of time
+    and regex.icontains(body.current_thread.text,
+                        'will be released|\b[1-4].[1-4]\b.{1,10}days?'
+    )
+  )
+  // link is malicious
+  and any(body.links,
+          // key phrasing or nlu
+          (
+            regex.icontains(.display_text,
+                            '(?:access|view).{0,10}|payment|statement'
+            )
+            or any(ml.nlu_classifier(body.current_thread.text).topics,
+                   .name == "Request to View Invoice" and .confidence != "low"
+            )
+          )
+          // suspicious hosting
+          and (
+            .href_url.domain.root_domain in $free_file_hosts
+            or .href_url.domain.tld in $suspicious_tlds
+            or .href_url.domain.root_domain not in $tranco_1m
+            // open redirect
+            or strings.icontains(.href_url.query_params, '=https')
+          )
+          // negate org domains
+          and .href_url.domain.valid != false
+          and .href_url.domain.root_domain not in $org_domains
+  )
+  // suspicious sender behavior
+  and (
+    (
+      length(recipients.to) == 1
+      and length(recipients.cc) == 0
+      and sender.email.email == recipients.to[0].email.email
+    )
+    // no recipient
+    or (
+      (
+        length(recipients.to) == 0
+        and length(recipients.bcc) == 0
+        and length(recipients.cc) == 0
+      )
+      or any(recipients.to,
+             strings.ilike(.display_name, "undisclosed?recipients")
+      )
+    )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Open redirect"
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "URL analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "027cb65d-aee3-5f10-9555-20b719bbde42"