This rule is designed to detect potential phishing attempts that exploit an open redirect vulnerability associated with Ticketmaster. The detection is based on analyzing inbound email messages that include links pointing to 'links.engage.ticketmaster.com' with a path containing '/ctt'. The rule checks if the sender's domain is not 'ticketmaster.com', which may indicate that the email is not legitimately from Ticketmaster. Additional criteria include the evaluation of the sender's profile—whether the sender is trusted or has a history of sending malicious or spam messages—and whether the sending domain passes DMARC authentication. The rule addresses the risk of attackers using Ticketmaster's domain as a façade to lure unsuspecting users into phishing schemes. It categorizes the severity of such messages as low but recognizes the significant risk associated with credential phishing and potential malware deployment using this technique. By implementing this rule, organizations can effectively reduce their attack surface against phishing attacks leveraging open redirects.