This detection rule aims to identify potential exploitation of an open redirect vulnerability associated with the domain whitefox.pl, which has been observed in various attacks. The rule checks incoming messages for links that lead to 'demo.whitefox.pl', particularly those containing specific path and query parameters. It ensures that the 'returnUrl' does not lead back to any subdomains of 'whitefox.pl', which often indicates an attempted phishing attempt or malware drop.\n\nTo enhance reliability, the rule also incorporates sender domain validation against a list of trusted domains. If a trusted sender fails DMARC authentication, or if their domain is not listed as trusted, the message is flagged. This multi-layered approach to both URL and sender analysis aims to mitigate the risk of credential phishing and malware deployment through deceptive redirects.