This detection rule targets potential open redirect vulnerabilities associated with Bitrix24 links, which have been exploited in phishing attacks. The rule primarily aims to identify inbound messages that feature links beginning with '/bitrix/' and ending with '.php', indicating a redirect manipulation that could lead to a phishing attempt. Additionally, it checks for the query parameter 'goto=', commonly used in such malicious redirects. To reduce false positives, the detection negates alerts from highly trusted sender domains unless their DMARC authentication fails, ensuring that legitimate sources are not incorrectly flagged. The rule incorporates sender analysis and URL analysis methods to determine whether the message poses a risk of credential phishing.