diff --git a/detection-rules/open_redirect_designsori.yml b/detection-rules/open_redirect_designsori.yml
new file mode 100644
index 00000000000..50907877315
--- /dev/null
+++ b/detection-rules/open_redirect_designsori.yml
@@ -0,0 +1,17 @@
+name: "Open Redirect: designsori.com"
+description: |
+  Message contains use of the designsori.com open redirect. This has been exploited in the wild.
+type: "rule"
+severity: "medium"
+source: "type.inbound\nand any(body.links,\n        .href_url.domain.root_domain == \"designsori.com\"\n        and strings.icontains(.href_url.path, 'redirect.php')\n        and regex.icontains(.href_url.query_params, 'url=(?:https?|(?:\\/|%2f)(?:\\/|%2f))')\n        and not regex.icontains(.href_url.query_params, 'url=[^\\&]*designsori\\.com') \n\n)\nand not sender.email.domain.root_domain == \"designsori.com\"\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Open redirect"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"
+id: "4c38ff47-4709-5ab9-963c-eabc0732800e"
+testing_pr: 2330
+testing_sha: f9ca9e8e937c5ecff6cfece598f45b05de853841