This rule detects potential threats related to the use of an open redirect vulnerability associated with PremierBet, which can lead to credential phishing and malware/ransomware attacks. The detection conditions focus on messages that include links pointing to 'premierbet.com' with a query parameter suggesting open redirect abuse (i.e., 'returnUrl='). The rule applies when the sender's email domain is not 'premierbet.com', which prevents false positives from trusted senders. Moreover, messages from highly trusted sender domains are only considered if they fail DMARC authentication, minimizing the risk of overlooking legitimate messages. Malicious or spam messages are also scrutinized against trusted domains, and this rule specifically targets unsolicited messages or those flagged as malicious without false positives.