This detection rule identifies potential service abuse involving Google Drive. Specifically, it flags sharing notifications that utilize a reply-to address from a newly registered domain (less than 30 days old) that does not match any of the organization's established domains. This is important because newly registered domains may indicate phishing or other fraudulent activities, particularly in the context of Business Email Compromise (BEC) and credential phishing attacks. The rule employs a multi-faceted approach that includes analysis of email headers, sender addresses, and domain age via WHOIS queries to determine the legitimacy of the communication. The detection is triggered when an email is received from Google Drive's official addresses, yet contains a reply-to address that is both new and external to the organization's approved domains. This type of logic aims to proactively reduce the attack surface by intercepting suspicious communications before engagement occurs.