This rule is designed to detect credential phishing attempts that utilize generic document sharing language. The detection logic checks the subject and body of emails for common phrases associated with document sharing, such as 'document to review' or 'file to review'. It can identify suspicious links that may appear like legitimate file attachments but do not point to trusted file-sharing services. The rule also considers the sender's reputation and the context of the email, ensuring that trusted domains with failed DMARC authentication are flagged. Additional checks involve the sender's previous email behavior, ensuring malicious or spammy profiles are identified, while negative conditions filter out benign communications. By focusing on specificity in language and the authenticity of links, this detection rule improves the identification of potential credential phishing attacks that could lead to business email compromise (BEC) or fraud.