This detection rule identifies potential phishing attempts and malicious activities utilizing the domain 'eaoko.org', which has been observed in the wild for redirect exploits. The rule inspects inbound messages for specific linker patterns, particularly checking if any links within the message contain 'eaoko.org' and have query parameters indicating a redirect action, specifically those containing 'goto='. To prevent false positives from trusted senders, it also checks that the sender's domain does not match 'eaoko.org' unless they fail DMARC authentication. The detection combines sender and URL analysis to effectively prevent credential phishing and malware distributions associated with open redirects.