The detected rule aims to identify phishing attempts that employ open redirects through the URL path ending with 'go2.aspx', a tactic commonly exploited in credential harvesting campaigns targeting Microsoft users. The rule utilizes a multi-faceted approach for detection: it first checks if the URL path of inbound emails ends with 'go2.aspx'. Next, it inspects the query parameters to identify potential encoded redirection strings consistent with phishing behavior, specifically looking for patterns that suggest manipulation of email addresses or domains in base64 format. Additionally, it analyzes the email headers for anomalies, such as missing mailer information, which can indicate the email was designed to mislead. Finally, it searches for specific Microsoft-related terms within the email body to confirm that the content is posing as a Microsoft communication, effectively combining content analysis, header scrutiny, and URL pattern checks to enhance detection accuracy. This rule is categorized under the attack type of credential phishing and utilizes tactics of brand impersonation and open redirects, aligning with common methodologies used by attackers to deceive users into revealing sensitive information.