This detection rule identifies potentially malicious macro-enabled attachments that utilize social engineering techniques to deceive users into executing macros or interacting with the attachment in harmful ways. The rule specifically targets attachments containing phrases related to document sharing (such as 'sent', 'shared', 'forwarded') alongside browser interaction instructions (like 'copy', 'right-click'). Such tactics are common in phishing campaigns aiming to compromise user credentials or spread malware. To minimize false positives, the rule limits the size of attachments to 2MB and employs a comprehensive set of regex patterns to scan the textual content of these documents, including both direct file strings and OCR-derived text. By analyzing both the content and the metadata of attachments, this rule seeks to proactively flag suspicious communications that could lead to credential theft or other forms of compromise.