This detection rule aims to identify potentially malicious emails that contain links to LinkedIn's open redirect service using the path '/slink?code=xxxxx'. It specifically targets emails that do not originate from the official linkedin.com domain but contain links or attachments that reference LinkedIn's link shortener service. The rule examines both the body of the email and any PDF attachments, looking for patterns indicative of phishing attempts or other malicious activity. By analyzing the sender's email domain, the rule filters out legitimate communications from LinkedIn to reduce false positives. Key indicators of potential threats include the presence of the '/slink' path in URL links and the inclusion of query parameters consistent with redirect behavior, such as 'code=' in the links or 'redirect_uri'. This proactive approach helps to mitigate risks associated with credential phishing and malware delivery.