This detection rule targets instances of open redirects associated with the domain "ringaraja.net," which have been actively exploited in the wild. The rule checks if any inbound messages contain links that reference this domain along with a specific path, while ensuring the query parameters have the necessary structures to denote a redirect. It negates the use of the redirect if the query parameters also reveal a presence of the same domain to prevent exploitation. The rule also employs sender profile analysis to identify potential malicious behavior by correlating with previous sender activity. It considers only messages from senders who are not highly trusted, unless those trusted senders fail DMARC authentication. The overall aim is to flag communications that may be involved in credential phishing or malware distribution through open redirect vulnerabilities.