The detection rule focuses on identifying potential exploitation of an open redirect vulnerability associated with the domain stats.lib.pdx.edu. This threat is due to the observed misuse of the domain in phishing campaigns and malware distribution scenarios. The rule is triggered when an inbound message contains links that point to the stats.lib.pdx.edu domain as part of an open redirect technique, specifically when there are elements that include '/proxy.php' in the path and 'url=' in the query parameters. Importantly, the rule only activates if the constructed URL does not redirect back to stats.lib.pdx.edu itself, ensuring that legitimate uses of the domain are not mistakenly flagged. Furthermore, the rule incorporates profiles of the sender to filter out solicited messages or to detect if any messages have been marked as malicious or spam without false positives. It also considers the sender's reputation by cross-checking against a list of high trust sender domains and validating DMARC authentication, adding a layer of trust assessment to ensure accurate detection without unnecessary disruptions to legitimate communications.