Detects inbound email messages that carry Word document attachments (doc/docx) which reference Citrix ShareFile and contain an Outlook plugin system indicator. Specifically, it looks for attachments whose content, when scanned, contains sharefile.com and a parameter like src=system-email-outlookplugin-new. This pattern suggests abuse of a legitimate file sharing service (ShareFile) to deliver malicious content via email, leveraging a social engineering/credential-phishing approach. The rule uses file-type checks and content analysis (recursive/string containment within attachments) rather than network indicators, suitable for endpoint or email-security gateway detection. Severity is medium, aligning with BEC/Phishing and credential-attack vectors that rely on trusted file-hosting workflows to bypass defenses.