This rule detects potentially malicious links to Google Apps Script macros that are shared via comment tagging in Google Slides and Docs. Attackers may embed links to their scripts within documents, using social engineering tactics to entice users into clicking them. Such scripts can lead to arbitrary code execution, potentially redirecting users to harmful sites or performing unauthorized actions. The detection logic employs regex to capture inbound messages with sender display names referencing Google products and checks for links originating from 'script.google.com' with paths indicating macros. It also includes patterns in the message indicating urgency or financial transactions, which are common in phishing attempts. The rule combines content and sender analysis, as well as URL inspections, to identify threats effectively.