This detection rule identifies potential instances of open redirect vulnerabilities associated with Klaviyo (kmail-lists.com) in inbound messages. It specifically targets links where the URL points to the Klaviyo subscription update path and includes suspicious query parameters indicating an open redirect exploit attempt. The rule checks if the URL's display text does not match known legitimate permutations such as 'subscribe' or 'manage', hinting at possible impersonation or social engineering attacks. The outcome of this detection can indicate ongoing credential phishing attempts or spam campaigns leveraging open redirect vulnerabilities for malicious purposes. Overall, the approach involves analyzing both link structures and the textual representations used in the emails to surface potential phishing threats.