This rule is designed to detect phishing attempts that impersonate Microsoft's OneDrive service, which is characterized by high severity due to the risk of credential theft. It inspects the subject and content of inbound messages for keywords associated with OneDrive, such as variations of 'one drive' in sender display names, email addresses, or message subjects. It employs a combination of regex patterns and natural language understanding (NLU) to identify potential phishing indicators, which include links hosted on free subdomains and specific phrases indicating credential theft intentions. Furthermore, it checks that the sender's domain is not part of a trusted Microsoft domain (e.g., 'microsoft.com') and ensures that any trusted domains have not failed DMARC authentication. By filtering out known trusted sender domains and excluding certain display name conditions, the rule aims to minimize false positives. Ultimately, this rule leverages content analysis, header inspection, and NLU to enhance detection accuracy and respond to evolving social engineering threats targeting OneDrive users.