This detection rule aims to identify Google Drive direct download links that are shared by unsolicited senders, as these links might be utilized by threat actors to distribute malware. The rule specifically looks for links formatted as 'drive.google.com/uc?id=FILE_ID&export=download', which allow files to be automatically downloaded without user interaction, bypassing the Google Drive preview page. This automatic download feature poses a significant risk to users who may be unaware of the actual content being delivered, especially when the links seem to originate from a trusted cloud storage provider. The rule is configured to trigger when certain conditions about the email sender and the included links are met, such as checking for unsolicited senders and analyzing the domain of the sender to exclude known high-trust domains unless these fail DMARC authentication. It also accounts for previous malign activity associated with the sender's profile to ensure comprehensive coverage against potential threats.