This detection rule targets potential open redirect vulnerabilities specifically associated with the domain k-mil.net, which has been identified as being actively exploited. The rule inspects inbound messages for links that contain the k-mil.net domain and checks specific conditions regarding their structure. It looks for URLs whose path ends with 'official_url' and contains query parameters that suggest redirection (notably those starting with 'u='), but does not allow any domain matching k-mil.net in the final resolved URL to prevent exploitation. The logic additionally accounts for the sender's email domain and includes exceptions for highly trusted domains that may otherwise fail DMARC authentication. This nuanced approach helps identify phishing attempts and possible malware delivery mechanisms, especially linked to credential theft and ransomware attacks, demonstrating the importance of URL analysis in threat detection.