Detects inbound emails containing EML attachments with embedded links targeting Microsoft OAuth login flows (login.microsoftonline.com) used for credential harvesting. The rule analyzes links found in the EML body, as well as links within embedded PDF/HTML attachments and ICS calendar attachments, looking for patterns such as offline_access, read, readwrite, ctx, sessionId, and reprocess endpoints (/common/reprocess) with ctx/sessionId. It uses file analysis and URL/content inspection to identify potential credential phishing attempts that abuse OAuth authentication flows. A beta ICS parsing path is used to extract event links for detection.