This detection rule identifies potentially malicious emails that utilize an open redirect vulnerability associated with the City of Calgary's official domain (calgary.ca). The rule checks if the body of the email contains links that point to 'calgary.ca', specifically looking for the path '/_layouts/cocis/DirectDownload.aspx' and examining the presence of a 'redirect' parameter in the query string. It ensures that the sending domain is not 'calgary.ca' to flag messages that are likely impersonating the official domain. The rule also considers whether the messages sent by the user were solicited or have a history of malicious or spam-like behavior without being marked as false positives. Furthermore, it incorporates a layer of trust by excluding highly trusted domains unless they fail DMARC authentication, thus increasing the accuracy of detection for phishing attempts. This rule targets attacks classified under credential phishing and employs tactics including exploits and social engineering, relying on sender analysis and URL analysis for detection.