This detection rule identifies potentially malicious SharePoint file shares that are dangerous because they contain personal OneNote or PDF files. The files in question are specifically those whose names mirror the display names of the senders, a technique often employed in credential phishing attacks. To activate, the rule examines inbound emails for specific headers related to SharePoint file sharing notifications, such as message IDs originating from 'odspnotify'. Additionally, it pertains to certain phrases typically used in SharePoint notifications found in the email body, detecting key phrases like "shared a file with you" or "invited you to access a file". Furthermore, to confirm the relevancy of the links, the rule analyzes the URL path for indicators that they are personal links and that they point to either OneNote or PDF files. Should the conditions match the properties outlined, the rule triggers, thereby safeguarding users against social engineering schemes that aim to compromise personal and sensitive data.