This detection rule identifies instances of potential phishing attempts or malicious behavior that leverages LinkedIn's redirection system. Specifically, it looks for messages that include links to LinkedIn domains (e.g., linkedin.com) which redirect through a specific path (i.e., /redir/redirect) with a query parameter that contains 'url='. The key characteristic of this redirect is its built-in 3-second delay before directing the user to the final destination, a tactic that has been exploited by cybercriminals to conduct phishing and deliver malware. The rule evaluates inbound messages to determine if they originate from a potentially untrusted sender or if any associated messages have been marked as malicious while ensuring that trusted domains are adequately filtered. A failure of DMARC authentication in emails from high-trust sender domains highlights a significant risk factor, further justifying the alert. The severity of the rule is tagged as medium due to the potential risk associated with credential theft and malware dissemination through such redirections.