This detection rule identifies potential open redirect attacks using the domain 'retailrocket.net'. Specifically, it checks for occurrences where messages contain links pointing to 'retailrocket.net', ensuring that the number of such links is fewer than 10, which might indicate intended misuse. The rule evaluates whether any of these links are associated with 'clickproxy.retailrocket.net', examining their query parameters for the presence of 'url='. It distinguishes between legitimate and potentially malicious links by utilizing regular expressions to ensure that any valid URL does not redirect to a domain ending with 'retailrocket.net'. Additionally, it incorporates sender analysis, excluding trusted email domains from triggering if they pass DMARC authentication, while still reporting on those that do not pass for high trust senders. The detection aims to prevent credential phishing and malware/ransomware attacks by scrutinizing email link redirects.