This rule is designed to identify and mitigate the threat posed by credential phishing attempts using Google Drive links. It specifically analyzes shared files that may have been maliciously crafted to resemble legitimate documents from recognized brands, with the intent of capturing users' login credentials. The detection method hinges on various indicators such as the email sender, the content of the shared messages, and the characteristics of the linked documents. The rule triggers when emails originate from official Google Drive accounts without the ‘added you as an editor’ phrase, thus focusing on potentially harmful shares. It employs advanced techniques like sender analysis, URL scrutiny, optical character recognition (OCR), and natural language processing (NLP) to evaluate the authenticity and safety of the content linked within the emails. An execution path ensures that documents which may facilitate credential theft are flagged efficiently. The severity of the detection is classified as high, reflecting the significant risk posed by such phishing attacks. Overall, this rule leverages a combination of established detection methods including computer vision and link analysis to enhance threat visibility in environments using Google Drive for file sharing, ensuring users are alerted before any potential credential compromise occurs.