Detects inbound messages containing HTML links styled as blue buttons, a common artifact in generic file-sharing phishing templates. The rule flags messages where the thread context is new or suspicious (no previous threads or fake thread indicators) and where the HTML contains an anchor with a blue button styling (background-color or background-color in #0078d4 or #3a78d1) and button-like padding. It excludes links to legitimate Microsoft domains and known gateways (e.g., mimecast) by validating the link domains, including query parameters decoded for domain hints, and allows exceptions only when the domain resolution indicates trust. An ML-based NLU classifier on the current thread text must indicate a non-benign intent. Attachments with the known Microsoft RPMSG content type are excluded, and messages from microsoft.com with DMARC pass are also excluded. This combination reduces false positives from legitimate Microsoft-origin emails while catching credential phishing attempts that impersonate file-sharing templates. The rule focuses on credential phishing via impersonation and social engineering, leveraging content, HTML, and URL analysis to detect malicious formatting and intent.