This detection rule identifies Excel macro files that are crafted using the Go Excelize library, which often employ social engineering tactics to lure users into enabling macros or downloading malicious content. The rule looks for specific document sharing phrases such as 'sent document', 'shared file', or 'REVIEW DOCUMENT' within the macro files, which are common indicators of phishing attempts. The detection logic filters inbound attachments that have a specific file extension for macros, ensuring they are under 2MB to minimize false positives. Key features of the files are subject to thorough analysis including their Exif metadata, verifying the creator is 'xuri' and that the application used to create the file is recognized as 'Go Excelize'. Overall, this rule aims to protect against credential phishing attacks leveraging macro-enabled Excel files.