This detection rule is designed to identify potentially malicious emails that use Google Drive as a landing page in phishing campaigns. It focuses on message characteristics, including sender information, email content, and link analysis. The rule specifies conditions where the sender of the email is Google Drive's no-reply addresses, ensuring that SPF and DMARC authentication checks pass, and the reply-to address is new or unsolicited. The body of the message is examined for phishing indicators such as urgent or suspicious keywords, and the links within the message are subjected to rigorous analysis to check against known free file hosts, subdomain services, URL shorteners, and those leading to either CAPTCHA pages or recognized phishing sites. This approach provides a comprehensive filtering mechanism to detect nuanced phishing attempts leveraging a trusted service.