Detections target inbound messages that abuse hakumonkai.org's redirect endpoint (/fukkou/ref.php) to funnel users to external sites. The rule analyzes two content sources: (1) links present in the message body and (2) URLs embedded within PDF attachments. For links, it identifies href_url.domain.root_domain equal to hakumonkai.org and href_url.path equal to /fukkou/ref.php, then decodes the query parameters to locate a parameter named 'url'. If that 'url' value parses to a valid domain, the event matches. For PDFs, it inspects the file’s content (via file.explode and scan.url.urls) to find any URLs pointing to hakumonkai.org/ref.php that carry a decodable 'url' parameter which, when parsed, yields a valid domain. A match triggers a high-severity alert categorized under Credential Phishing with the tacticOpen Redirect. Detection methods include URL analysis (parsing and validating hrefs and query parameters) and file analysis (examination of URLs contained within attachments). This rule is designed to detect attempts to rely on an open redirect to obscure the final phishing destination, facilitating credential theft or credential harvesting. Potential false positives may arise from legitimate workflows or internal tooling using the same redirect pattern; obfuscated or URL-shortened representations of the 'url' parameter could evade parsing; and attackers could switch to alternate domains or paths not covered by the exact /fukkou/ref.php pattern. Consider whitelisting legitimate use cases, monitoring for changes to the redirect endpoint, and expanding coverage to similar redirect patterns or domain variants to reduce gaps in detection.