diff --git a/detection-rules/link_freefile_freemail_nlu.yml b/detection-rules/link_freefile_freemail_nlu.yml
new file mode 100644
index 00000000000..23291ada3dd
--- /dev/null
+++ b/detection-rules/link_freefile_freemail_nlu.yml
@@ -0,0 +1,19 @@
+name: "Link: Free file host from freemail sender with NLU intent"
+description: "Detects free file host links sent by freemail senders with a short body and NLU indicators."
+type: "rule"
+severity: "medium"
+source: "type.inbound\n\n// short body\nand length(body.plain.raw) < 500\n\n// NLU intent\nand (\n  any(ml.nlu_classifier(body.plain.raw).intents, .name != \"benign\")\n  and length(ml.nlu_classifier(body.plain.raw).intents) > 0\n)\n\n// free file host link\nand any(body.links, .href_url.domain.domain in~ $free_file_hosts)\n\n// freemail sender\nand sender.email.domain.root_domain in $free_email_providers\n\nand (\n    not profile.by_sender().any_false_positives \n    and not profile.by_sender().solicited\n)\n"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Free file host"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "URL analysis"
+id: "569817fe-96b5-5c1d-96dc-30cd1cb9fd16"
+testing_pr: 861
+testing_sha: b66c253e300be08704bde4a26ea84b3650c5fcf6