This detection rule identifies potential phishing attempts that exploit an open redirect vulnerability associated with the domain mindmixer.com. The rule scans for any inbound messages that contain links directed to 'auth.mindmixer.com' and checks specific conditions on the URL structure. It looks for the presence of the path '/GetAuthCookie' and ensures that the query parameter 'returnUrl=' is used. Furthermore, the rule performs a regex check to confirm that the 'returnUrl' does not point back to a mindmixer.com domain by matching against well-known patterns of URL encoding. The rule adds an additional layer of scrutiny by excluding highly trusted sender domains unless they have failed DMARC authentication. This mechanism helps minimize false positives while focusing on potentially malicious messages that may be attempting to phish user credentials through misleading URL redirection.