This detection rule identifies inbound messages that utilize the embluemail.com redirect, a technique that has been exploited in phishing campaigns. The rule is applied when the message's link contains attributes indicating potential malicious usage, specifically checking if the domain is 'nts.embluemail.com', and if the URL path begins with '/p/cl' while also including certain characters and patterns in the query parameters which suggest exploitation attempts. Furthermore, it includes checks to bypass detection for messages originating from highly trusted sender domains unless they fail DMARC authentication.Detailed analysis of sender email domains alongside URL characteristics is performed to ensure accuracy in detecting phishing attempts, especially those tied to credential harvesting or malicious payload delivery via redirects. The rule aims for a balance between security and false positive reduction by excluding recognized legitimate sources while still focusing on suspicious linking behavior.