This detection rule is designed to identify instances of open redirect vulnerabilities related to the domain buildingengines.com, particularly in the context of phishing campaigns. The rule examines inbound messages for links that redirect using the '_redirectTo' parameter. It specifically looks for URLs from 'app.buildingengines.com' and checks whether these links attempt to redirect to potentially malicious sites, ensuring that they do not redirect back to legitimate buildingengines.com URLs. Additionally, the rule incorporates sender analysis to exclude legitimate domains and verify if the sender’s root domain is part of a high-trust list unless they fail DMARC authentication. The alert would trigger when indicators of compromise related to credential phishing or malware dissemination are detected through this open redirect technique.