This detection rule identifies attempts to exploit the 'events.csiro.au' redirect, which has been utilized in various phishing campaigns. The rule checks if the inbound message contains links to the specified redirect and analyzes the associated query parameters for malicious patterns indicative of phishing attempts, specifically looking for '&ec_url=' within the URL. To reduce false positives, it incorporates checks to exclude messages from the legitimate 'csiro.au' domain and considers sender reputation by assessing trusted sender domains and DMARC authentication status. Messages sent from high-trust domains are scrutinized further if they fail DMARC checks or if the sender has a history of prior malicious activity. This rule aims to combat Credential Phishing and Malware/Ransomware by actively analyzing the sender and URL content.