This detection rule identifies potential malicious messages that exploit the open redirect vulnerability associated with the domain 'ust.hk'. Such vulnerabilities can be leveraged by attackers for credential phishing and delivering malware/ransomware, allowing redirection of users to deceptive websites. The rule executes checks on inbound messages where the links contain 'shib.ust.hk' referenced URLs that include '/discovery.jsp' in the path and have specific return queries typical of such exploits. Moreover, it assesses the trust level of the sender, filtering out trusted domains unless DMARC failures are present or the sender is not considered high trust. This layered approach prevents false positives from legitimate senders while catching potentially harmful traffic.