This detection rule targets potential phishing attacks that exploit an open redirect vulnerability associated with the domain 'weblinkconnect.com'. The rule examines emails to detect if they include links redirecting to 'weblinkconnect.com' but originating from an untrusted sender domain. The rule checks the body of the email for less than ten links associated with 'weblinkconnect.com' and specifically looks for internal API links that contain the path '/click' and query parameters with 'url='. Additionally, it assesses the sender's domain against a list of high-trust domains and evaluates if those domains have passed DMARC authentication. Failure to meet these criteria flags the message as suspicious, thereby mitigating risks of credential phishing attacks leveraging open redirects. This rule is crucial in identifying and preventing exploitation techniques often used in modern phishing schemes, enhancing overall email security.