This detection rule identifies potential exploitation of an open redirect vulnerability associated with the domain xfinity.com. This type of vulnerability can lead to various malicious activities, including credential phishing and malware delivery. The rule inspects inbound messages for links that contain the xfinity.com domain, particularly targeting URLs that include the path '/learn/cima/login' and possess query parameters containing the 'referer=' key. It also checks that the URL is not a trusted referer pointing back to xfinity.com, while filtering emails based on the sender’s domain and solicitation status. By analyzing the sender's profile for any history of malicious or spam messages and their DMARC authentication status, this rule helps distinguish between legitimate and potential phishing attempts. The inclusion of highly trusted sender domains, unless they fail DMARC authentication rules, helps prevent false positives in the threat detection process. Overall, this rule is crucial for mitigating risks associated with open redirects and protecting users from phishing attacks.