This detection rule identifies potential phishing attempts or fraud via open redirect links in attachments from new or unusual senders. The primary focus is on documents such as PDFs or Word files containing links redirecting through doubleclick.net. The rule first verifies if the incoming message has no body links and subsequently inspects attachments for links to doubleclick.net. It specifically looks for URL paths that include patterns typical of ad click tracking (e.g., "/aclk", "/pcs/click"). Additionally, it checks for malicious URL parameters that could indicate an attempt to redirect users to phishing sites. The risk is heightened when the sender is categorized as new or an outlier, or if the sender has a history of sending messages flagged as malicious without being incorrectly labeled as spam. The medium severity indicates a need for monitoring due to the potential risks associated with such links.