This detection rule identifies potential open redirect vulnerabilities associated with the ExacTag platform, a known target for exploitation. The rule inspects inbound messages for links containing a specific structure—namely, URLs that originate from "exactag.com" and include 'ai.aspx' within their path and the parameter 'url=' in their query strings. It also factors in the sender's profile, aiming to weed out unsolicited messages unless the sender has a history of malicious or spam behavior without being flagged for false positives. Additionally, the rule excludes highly trusted sender domains unless they have failed DMARC checks, thereby reducing the likelihood of false alarms while maintaining vigilance against potential threats. This makes the rule effective in spotting phishing attempts and malicious payloads leveraging open redirects for nefarious purposes.