This detection rule is designed to identify potential open redirect attacks that leverage Google's redirect mechanism, specifically focusing on URLs structured as 'google.com/url...'. The rule monitors messages with image attachments or those without any attachments, filtering out authenticated messages from Google to reduce false positives. The detection incorporates several analysis layers: it ensures the sender's domain is not part of the organization's domains, checks for Google redirect patterns within the body of the message, and verifies multiple suspicious indicators, which might suggest credential theft, including unexpected image attachments, urgency indicators, and other malicious attributes. It incorporates machine learning techniques for natural language understanding and optical character recognition to enhance its detection capabilities, effectively aiming to mitigate phishing threats that exploit Google's services.