This detection rule identifies potential open redirect vulnerabilities associated with the domain 'bestdeals.today'. An open redirect occurs when a web application accepts a user-controlled input that specifies a URL to redirect to and thereby misuses this input. This specific rule is designed to flag instances where messages include links pointing to 'bestdeals.today' that redirect users through a '/redirect' path, particularly where the query parameters contain 'url=', a common pattern in open redirect exploitations. The rule employs sender analysis to filter out trusted sources and checks if the email domain from which the message originates is different from 'bestdeals.today', thus preventing false positives from legitimate messages. Additionally, the rule accounts for high-trust sender domains, allowing for more precise filtering based on DMARC authentication status. Marked as medium severity, this rule addresses the critical attack vectors of credential phishing and malware/ransomware, making it vital for threat detection systems aiming to enhance email security.