This detection rule is designed to identify potential abuse of the Adobe Creative Cloud service through unsolicited sharing emails. The rule specifically looks for emails claiming to be from Adobe, where the sender's email address is newly observed or not commonly recognized within the organization. It performs multiple checks: it verifies that the email is inbound and has passed SPF and DMARC authentication to mitigate false positives from spoofed emails. The core feature involves extracting the sender's email from the HTML body of the message, particularly focusing on any document shared links. If the sender is found to be from outside of the organization's known domains and does not match trusted email accounts, the rule triggers an alert. This approach helps to combat credential phishing tactics that use reputable services like Adobe as a vector for social engineering and evasion techniques.