This detection rule targets open redirect vulnerabilities associated with the domain 'museepicassoparis.fr', which has been flagged due to its exploitation in the wild. The primary indicators for triggering this rule include the presence of links in a message body that point to 'museepicassoparis.fr' with specific URL characteristics. The rule looks for query parameters typically used in tracking, such as 'tracker=', 'organization=', 'seasonId=', and 'redirectTo='. Notably, it also checks that the 'redirectTo' parameter does not safely redirect to the same domain, which could indicate a malicious redirect attempt. Additionally, the sender's domain is evaluated; if it’s part of a list of highly trusted domains, the rule requires that DMARC authentication passes to mitigate false positives. This comprehensive approach helps in detecting potential phishing attempts and malware delivery scenarios that exploit open redirect vulnerabilities.