This detection rule identifies potential security threats related to open redirects involving YouTube links, especially those that are not originating from trusted YouTube domains. The primary focus is on two types of detection mechanisms: one that analyzes links within the body of messages and another that inspects attachments. The rule triggers if the body contains links with domains resolving to YouTube and specifies certain paths or query parameters indicating redirect behavior, such as 'attribution_link?' or '/redirect'. Additionally, if there are attachments, the rule checks for file types commonly associated with potentially harmful documents and specifically examines any hyperlinks that target YouTube addresses under the same conditions. Furthermore, the rule reinforces the importance of sender verification by incorporating checks against highly trusted domains and ensuring that DMARC authentication has passed. This combination of analysis helps combat credential phishing and malware threats that exploit open redirects.