This detection rule identifies potentially malicious Google Docs that contain suspicious content and links leading to various types of risky destinations. The rule is aimed at detecting malicious activities such as credential phishing where attackers may lure victims to click links within a Google Document that could redirect to newly registered domains, free subdomain hosting services, URL shorteners, or sites ending with dubious top-level domains (TLDs). It essentially filters for instances where the Google Doc does not originate from a legitimate Google account, checks that the number of legitimate links is below a threshold, and interrogates the links using natural language understanding and metadata analysis, including WHOIS database checks to determine the age of the targeted URLs. The active components in the rule also flag the presence of social engineering tactics that may be utilized in the constructed text of the document.