This detection rule identifies potential open redirect vulnerabilities associated with links from doubleclick.net. By analyzing inbound messages, the rule checks for the presence of fewer than ten links and specifically looks for links whose root domain is doubleclick.net. It further inspects the paths of these links for specific substrings indicative of ad clicks (e.g., '/aclk', '/pcs/click', and '/searchads/link/click') and examines the query parameters for typical patterns used in such phishing or malware attempts, including encoded destination URLs. This rule is particularly triggered when the sender is classified as either new or an outlier in terms of sending behavior, or when the sender has previously been associated with malicious messages without any false positive history. The rule's severity is classified as medium, as it relates to attacks like Credential Phishing and Malware/Ransomware, focusing on open redirect tactics and techniques. Detection is facilitated through sender analysis and URL examination.