This detection rule identifies the presence of EML attachments that contain SharePoint links, specifically when the subdomain from which the links originate diverges significantly from the sender's email domain. The potential threat here is linked with tactics like SharePoint impersonation or domain spoofing, often leveraged in phishing attacks. The rule works by first checking inbound emails for EML attachments, utilizing the filter to validate the content type and file extension. It employs Levenshtein distance calculations to ascertain how similar the subdomain of the detected link is to the sender's domain, applying thresholds to evaluate their resemblance. The conditions require that any detected SharePoint link be examined such that it neither includes the sender's local part nor falls within a trusted organizational domain. Additional checks further negate trusted senders, particularly if DMARC authentication has failed, while also filtering out instances that stem from Proofpoint's authorized communications. The rule thus encapsulates various granular checks against known safe domains and explicitly delineates malicious subdomain hijack attempts, furnishing a solid defense against potentially fraudulent communications involving SharePoint links.