This rule detects inbound messages that contain the exact phrase 'has invited you to VIEW the following document:' in the current thread text and that also include at least one link. The pattern matches social engineering campaigns where an attacker prompts the recipient to view a shared document, typically hosted on a malicious or deceptive file host, to harvest credentials or deliver malware. By performing content analysis on the inbound thread (specifically body.current_thread.text) and requiring a link (body.current_thread.links length > 0), the rule flags potential credential phishing attempts that rely on document-sharing invitations. The rule is categorized under credential phishing with tactics around social engineering and free file hosting. It uses a straightforward string containment check as its detection method, making it effective against sessions where attackers reuse a known lure but may be susceptible to slight phrasing variations or legitimate invitations that happen to use the same template. The rule provides a high-severity signal for further investigation and response.