This detection rule identifies potentially malicious emails that contain RFC822 attachments with suspicious file-sharing language, particularly from unknown or unsolicited sources. The rule uses a combination of language patterns and metadata analysis to detect these messages, focusing on specific phrases that indicate file-sharing activities (like 'shared with you' or 'View Document'). It filters out known trusted sender domains and excludes common bounce-back or administrative emails likely to generate false positives. The logic also examines the email's link presence and restricts to fewer than 10 to reduce noise in detection. Additional considerations include DMARC authentication results for senders, which affect their classification as trusted or suspicious. The rule is built around safety to flag unsolicited communications accurately while minimizing false alerts.