This detection rule identifies potentially malicious file sharing links in emails originating from suspicious sender domains. It specifically looks for messages that contain links pointing to known free file hosting services, while excluding those that link to image content, which is often common in benign correspondence. The rule examines the sender's domain to check against a predefined list of notoriously unsafe domains, tagged as 'suspicious top-level domains' (TLDs). The rule has an additional layer of scrutiny, assessing the sender's previous message history to determine whether the current message was solicited or whether the sender has a history of sending malicious or spam content. By employing sender analysis and URL analysis, this rule aims to mitigate both credential phishing and malware/ransomware attacks by catching potentially harmful messages before they reach the end user.