This detection rule targets potential phishing attacks utilizing an open redirect mechanism associated with the Signature Travel Network. The rule identifies messages that contain links redirecting to the domain 'sigtn.com', specifically those that end with 'emt.cfm' and include the query parameter 'link='. Importantly, the sender’s email domain must not be recognized as originating from Signature Travel Network or its affiliates, to rule out legitimate communications from trusted sources. The rule also takes into account the sender's history, indicating that if the sender has a track record of malicious or spam messages without any false positives, the message is flagged. Moreover, it includes checks to bypass overly trusted senders unless their DMARC authentication fails, which further refines the criteria for detection. This comprehensive approach helps in minimizing false positives and ensuring that only potentially harmful messages are flagged for review, thereby enhancing the organization's security posture against credential phishing attacks.