This detection rule identifies potentially malicious messages that contain Scribd links configured to open in fullscreen mode, coming from senders who have not engaged in past benign communications. The rule focuses on inbound messages with limited link counts (fewer than 10) and performs checks on the link structure to confirm that it relates to scribd.com while specifically looking for the presence of the 'fullscreen' query parameter. This is particularly important in preventing credential phishing attacks, where attackers might leverage trusted platforms to deceive users into providing sensitive information under the guise of legitimate document sharing or viewing. By analyzing both the sender's reputation and the content of the links, the system aims to mitigate risk from social engineering tactics employed by adversaries. If a sender has no prior benign interactions and their message contains the suspicious links, an alert will be triggered for further review.