This detection rule identifies potential phishing attempts that utilize open redirects, specifically targeting the domain tkqlhce.com, which has been observed in malicious campaigns. The rule evaluates incoming messages to check if they contain links that redirect to tkqlhce.com without proper validation. It searches for links with fewer than 10 total links in the body of the message and uses multiple conditions to confirm the presence of the tkqlhce.com domain in the hyperlink structure. It further verifies that the query parameters or URL paths do not include secure links redirecting back to this domain. Moreover, the rule checks sender domains against a list of high-trust sender domains to minimize false positives from known legitimate sources unless they fail DMARC authentication. This approach helps enhance the accuracy of detection, particularly in environments susceptible to credential phishing and malware delivery attacks.