This detection rule is designed to identify potential credential phishing attempts via Google share notifications that contain suspicious comments. The detection focuses on messages sent from Google domains, specifically those that indicate a file-sharing action or request within the comments section of the notification. It employs a combination of string and regex analysis to identify common email abbreviations such as 'FW:', 'FWD:', and 'RE:' as well as phrases associated with file sharing, like 'request to view', 'shared a file', and 'file access request'. The rule filters out internal notifications from trusted Google senders and displays names within an organization's known domains to reduce false positives, aiming to catch malicious impersonation attempts targeting users.