This detection rule identifies potentially suspicious emails sent from SharePoint Online to a large number of recipients, where the sender's email does not match the organization's typical display names. Specifically, it checks for emails originating from 'no-reply@sharepointonline.com' with more than 40 recipients in the 'To' field, highlighting a common tactic used in credential phishing and spam campaigns. The rule analyzes both the email headers and the sender's display name against a predefined list of organizational display names, while also checking if any recipient's email domain is associated with free email providers, indicating potential external threats. By flagging this activity, the rule aims to prevent unauthorized access or data breaches stemming from phishing attempts that exploit SharePoint's sharing capabilities, especially in environments with strict email policies.