This detection rule identifies potential open redirect vulnerabilities associated with the domain bubblelife.com, which has been leveraged in various attacks, including credential phishing and malware distribution. The rule inspects inbound messages for specific patterns involving redirect URLs. It specifically checks if the message body contains any links to bubblelife.com that follow a specific structure: the URL's path must begin with '/click/' and the query parameters must contain 'url=' without a reference back to bubblelife.com as a valid destination. Additionally, the rule excludes messages that originate from domains trusted under a predefined list, particularly focusing on those that fail DMARC authentication. This serves to mitigate the risk from legitimate sender domains while identifying malicious redirects. Overall, the rule aims to prevent users from being redirected to potentially harmful sites that exploit the open redirect vulnerability.