This detection rule is designed to identify phishing attempts masquerading as storage space alerts through inbound emails. The detection mechanism involves a multi-faceted approach that checks various conditions to identify suspicious language, links, and sender authenticity. It assesses the email's content for specific keywords associated with storage issues, such as 'full', 'exceeded', and 'out of', and scrutinizes the number and type of links included in the email body. The rule also employs machine learning techniques to analyze any screenshots attached within sender files—looking for high confidence instances of credential theft. This rule differentiates between genuine alerts from trusted services, and malicious attempts by examining the sender's email address and checking DMARC authentication results. Link domains are also filtered to exclude known legitimate services, and any messages deemed unsolicited or flagged as spam by historical profiles are categorized as high-risk.