diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml
new file mode 100644
index 00000000000..c56103e688e
--- /dev/null
+++ b/detection-rules/monday_infra_abuse.yml
@@ -0,0 +1,144 @@
+name: "Service abuse: Monday.com infrastructure with phishing intent"
+description: "Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    (
+      length(body.links) < 15
+      and any(body.links, 'monday_tracker' in .href_url.rewrite.encoders)
+    )
+    or (
+      length(attachments) <= 3
+      and (
+        any(attachments,
+            (.file_type in $file_types_images or .file_type == "pdf")
+            //
+            // This rule makes use of a beta feature and is subject to change without notice
+            // using the beta feature in custom rules is not suggested until it has been formally released
+            //
+            and any(beta.scan_qr(.).items,
+                    .type is not null
+                    and 'monday_tracker' in .url.rewrite.encoders
+            )
+            //
+            // This rule makes use of a beta feature and is subject to change without notice
+            // using the beta feature in custom rules is not suggested until it has been formally released
+            //
+            // exclude images taken with mobile cameras and screenshots from android
+            and not any(beta.parse_exif(.).fields,
+                        .key == "Model"
+                        or (
+                          .key == "Software"
+                          and strings.starts_with(.value, "Android")
+                        )
+            )
+            // exclude images taken with mobile cameras and screenshots from Apple
+            and not any(beta.parse_exif(.).fields,
+                        .key == "DeviceManufacturer"
+                        and .value == "Apple Computer Inc."
+            )
+        )
+      )
+    )
+    or (
+      length(attachments) == 0
+      and (
+        //
+        // This rule makes use of a beta feature and is subject to change without notice
+        // using the beta feature in custom rules is not suggested until it has been formally released
+        //
+        beta.parse_exif(file.message_screenshot()).image_height < 2000
+        and beta.parse_exif(file.message_screenshot()).image_width < 2000
+        and beta.scan_qr(file.message_screenshot()).found
+        and any(beta.scan_qr(file.message_screenshot()).items,
+                .type is not null and 'monday_tracker' in .url.rewrite.encoders
+        )
+      )
+    )
+    or (
+      length(attachments) <= 3
+      and (
+        any(attachments,
+            (
+              .file_type in ("pdf")
+              or .file_extension in ("pdf", "eml")
+              or .file_extension in $file_extensions_macros
+              or .content_type in ("message/rfc822")
+            )
+            and any(file.explode(.),
+                    any(.scan.url.urls,
+                        'monday_tracker' in .rewrite.encoders
+                    )
+            )
+        )
+      )
+    )
+  )
+  and not (
+    any(headers.domains, strings.ends_with(.domain, "mail.monday.com"))
+    or (
+      headers.auth_summary.dmarc.details.from.root_domain == "monday.com"
+      and headers.auth_summary.spf.pass
+      and headers.auth_summary.dmarc.pass
+    )
+  )
+  // negating legit replies
+  and not (
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      or strings.istarts_with(subject.subject, "FW:")
+      or strings.istarts_with(subject.subject, "FWD:")
+      or strings.istarts_with(subject.subject, "Automatic reply:")
+    )
+    and (
+      length(headers.references) > 0
+      and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+    )
+  )
+  // negate graymail and newsletters with a benign NLU intent
+  and not (
+    any(ml.nlu_classifier(body.current_thread.text).topics,
+        .name in~ (
+          "Advertising and Promotions",
+          "B2B Cold Outreach",
+          "Newsletters and Digests",
+          "Events and Webinars"
+        )
+        and .confidence == "high"
+    )
+    and any(ml.nlu_classifier(body.current_thread.text).intents,
+            .name == "benign" and .confidence == "high"
+    )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      (
+        (
+          sender.email.domain.root_domain in $high_trust_sender_root_domains
+          and not headers.auth_summary.dmarc.pass
+        )
+        or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+      )
+      and profile.by_sender().prevalence in ("new", "outlier", "rare")
+    )
+    // salesforce has been abused to send phishing campaigns leveraging monday.com infrastructure abuse 
+    or sender.email.domain.root_domain == "salesforce.com"
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+  - "QR code"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "QR code analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "a346e3b1-603e-5ef0-8547-d40ba4282352"