This detection rule focuses on identifying instances where the URL `g7.fr` is used within messages, which indicates a potential open redirect vulnerability that has been actively exploited in cyberattacks. The rule checks if any links within the message body have a domain that matches `g7.fr`, ensuring that the URL structure starts with `//` and ends with a `/`, which is typical for redirect URLs. The rule incorporates sender profile analysis by checking if the sender is solicited or if they have sent any messages flagged as malicious or spam without any false positives. Additionally, it negates alerts for trusted sender domains unless they fail DMARC authentication, thereby reducing false alerts from known safe sources. This approach effectively surfaces potential phishing attempts and malicious redirect links that could compromise sensitive data.