diff --git a/detection-rules/open_redirect_meta_youtube.yml b/detection-rules/open_redirect_meta_youtube.yml
new file mode 100644
index 00000000000..1e9563a1d65
--- /dev/null
+++ b/detection-rules/open_redirect_meta_youtube.yml
@@ -0,0 +1,21 @@
+name: "Open Redirect: Meta --> YouTube Redirection Chain"
+description: |
+  Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.domain == "l.work.meta.com"
+          // the redirect field
+          and strings.icontains(.href_url.query_params, "u=")
+          and regex.icontains(.href_url.query_params, 'u=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?youtube\.com[^\&]*\/+logout.*continue=')
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Open redirect"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"
+id: "f217fd10-48fe-553a-8e63-4da9fb3fbc64"