This rule is designed to detect the use of open redirection, specifically targeting links that utilize the domain "ijf.org". The exploitation of open redirects has been noted in various phishing attacks, often leading users to malicious sites after agreeing to cookie consent on legitimate pages. The detection logic focuses on inbound messages that contain links pointing to "ijf.org" with specific conditions: the link's path must start with '/cookies_agree' and query parameters should include 'backTo=', while also ensuring that no malicious redirection occurs back to 'ijf.org'. Additionally, the rule checks the sender's domain against a list of trusted domains, ensuring that if the sender is deemed high trust but fails DMARC authentication, they are flagged as potentially harmful. This rule is crucial for preventing credential phishing and malware dissemination through deceptive links.