This detection rule aims to identify potentially malicious Google Drive sharing notifications which are disguised to exploit the organization's trust in legitimate communication channels. The rule specifically focuses on emails purportedly coming from Google Drive that include a reply-to address which has not been previously associated with any legitimate communications from the organization. It takes advantage of Google’s established reputation to carry out Social Engineering attacks by encouraging users to engage in communications that could lead to phishing-related attacks. The rule will trigger when an incoming email has headers indicative of Google Drive sharing but has a reply-to address that does not match known organizational domains. This is validated further by ensuring that the reply-to address has never engaged in past communications with the organization and has not been classified as benign. Consequently, the rule mitigates potential Business Email Compromise (BEC) and Credential Phishing attacks, ensuring enhanced security against unsolicited attempts to manipulate user behavior.