This detection rule identifies potential impersonation attempts through shared files on SharePoint or OneDrive by analyzing filename patterns in shared file links. It aims to catch instances where the filename matches organizational naming conventions, which could indicate credential phishing. The rule works by checking email features such as subject lines and message bodies for specific terms associated with shared files, while filtering out benign cases like invites to edit. The logic utilizes domain filters to ensure the links originate from SharePoint or OneDrive, and it relies on contextual text in the email to determine whether the shared filename matches the organization’s name. If these suspicious patterns are detected in conjunction with other parameters, the rule flags them for review as potential phishing activities.