This detection rule is designed to identify potentially harmful messages that contain links to Intuit's notification domains but are sent by non-Intuit email accounts. Specifically, it targets emails that include links from 'links.notification.intuit.com' while ensuring the sender's email domain is not any of the official Intuit domains (quickbooks.com or intuit.com). Furthermore, the rule employs machine learning classifiers to identify any language that indicates credential theft with a medium confidence level. Additionally, it checks if the message content is related to file sharing and cloud services by analyzing the topics within the thread. The length of the text is also constrained to ensure messages are concise, with a maximum of 1750 characters.