This rule identifies potential open redirect vulnerabilities associated with links leading to 'nowlifestyle.com', which has been known to be exploited in various phishing campaigns. The detection logic utilizes a combination of inbound email message characteristics, focusing on links in the message body. The href_url.domain must match 'nowlifestyle.com', and the path must include '/redir.php'. Furthermore, the query parameters must contain a 'url=' that leads to an external site but excludes any direct references to 'nowlifestyle.com', thereby catching attempts to redirect users to malicious sites disguised as this domain. Additional conditions filter out communications from the specified high-trust sender domains unless they fail DMARC authentication, ensuring quality over quantity in identifying threats. This is particularly crucial in environments where sourced messages from known trusted senders may inadvertently mislead detection mechanisms, making this rule a strategic fit for organizations focusing on credential theft through phishing schemes.