This detection rule monitors for phishing attempts that impersonate SharePoint file-sharing emails. The central logic involves identifying messages where the body content mimics phrasing typically associated with file sharing, such as 'shared a file with you' or 'invited you to access a file.' The rule evaluates not only the email body but also the subject line and any links within the email, specifically looking for links that do not point to recognized Microsoft domains (e.g., microsoft.com or sharepoint.com). Additionally, the rule incorporates various conditions to identify messages that may appear from legitimate Microsoft-dominated platforms but do not pass certain trust verifications (like DMARC). External messages from domains not associated with the organization and that possess traits indicating spam or phishing, such as the presence of malicious content or deceptive sender domains, are flagged. This diligent analysis integrates several techniques, such as content analysis, header analysis, and even image recognition to detect logos indicating false representation of the brand. The rule aims to prevent credential theft and malware distribution through precise identification of anomalies in email communication.