This detection rule identifies the exploitation of open redirects associated with the U.S. Department of Health and Human Services (HHS). It specifically looks for links that direct users to ‘dcis.hhs.gov’ with query parameters containing the term 'service', which is a hallmark of phishing attempts that leverage this open redirect vulnerability. The rule operates based on inbound traffic analysis, inspecting the body of the traffic for the specified domain within its links. By catching these redirects, the rule aims to prevent users from falling victim to credential theft or malware through phishing campaigns that utilize this open redirect as a vector. With the increasing sophistication of phishing attacks during pandemic-related crises, detecting these threats is crucial for organizational security.