This detection rule identifies potentially malicious links that redirect to a PHP endpoint (specifically 'go.php') and contain authentication parameters in their query string. Such a pattern is commonly associated with credential phishing attacks, where attackers attempt to redirect users to phishing sites that mimic legitimate platforms to collect their credentials. The rule looks for links in the body of inbound traffic where the URL path ends with 'go.php', the query parameters start with 'auth=', and the path contains exactly two slashes. This combination of conditions helps in filtering out regular or benign links, focusing only on those that exhibit suspicious behavior indicative of redirection attempts designed for unauthorized access. Implementing this rule aids in enhancing the security posture by enabling timely detection of potential phishing attempts and subsequent remediation actions.