This detection rule monitors for potentially malicious emails originating from SharePoint that share files with recipients, focusing on suspicious nomenclature within the document names. The rule triggers if the email contains specific keywords in the subject or body that indicate the sharing of files, while excluding benign phrases that connote editing permissions. It employs multiple methods to analyze links within the email, checking for their origin domains and examining the accompanying display text for patterns indicative of phishing attempts, such as misleading document names or references to well-known financial or secure-themed documents. Additionally, the rule applies natural language understanding to identify organizational names and flag any email where the sender has not previously communicated with the recipient, enhancing its ability to detect potential phishing and credential compromise threats. The threat level of this rule is categorized as low, acknowledging the specifics of its intended detection without overshooting the severity of potential alerts.