This detection rule is designed to identify suspicious DocSend shares where the reply-to email address or domain is unfamiliar to the recipient organization. The rule is triggered when an incoming email meets specific criteria: it must originate from the known legitimate DocSend infrastructure (verified using SPF and DMARC checks) and feature a reply-to address that has either not previously communicated with the organization or has a record of being unsolicited. Additionally, the rule checks that the reply-to address has not been associated with any benign messages in order to mitigate false positives. As such, it applies a combination of content, header, and sender analysis methods to uncover potential phishing attempts leveraging the DocSend platform, which is often used for sharing documents and files. Given the high level of severity assigned to this rule, organizations should prioritize alerts generated through this detection to swiftly respond to potential credential phishing attacks aiming to exploit users via unsolicited document shares.