This rule identifies instances of potential phishing attempts utilizing an open redirect vulnerability associated with Newegg's domain. The detection logic targets messages that contain URLs pointing to 'newegg.com' with specific path and query parameters indicative of redirect exploitation – namely '/rts/go2.aspx' and a query parameter containing 'x='. It explicitly checks if the sender's email domain is not 'newegg.com', suggesting that unauthorized users are attempting to leverage this open redirect for malicious purposes. To reduce false positives, the rule considers the reputation of the sender, particularly whether emails from highly trusted domains have failed DMARC authentication or if they are known sources of malicious content. The combination of sender analysis and URL content analysis helps in effectively detecting these threats.