This detection rule is designed to identify potentially harmful file sharing links related to Notion, which is a popular productivity and collaboration tool. The rule triggers when an inbound message contains a link (either in the body or display URL) that points to a Notion domain (notion.so) and includes certain suspicious keywords indicative of malicious intent, such as 'shared', 'document', 'secure', and 'important'. The rule also checks if the sender's email domain is not the official Notion mail server, which helps in filtering out legitimate communications from Notion. Additionally, it assesses the sender's profile for potential newness or outlier behavior, as well as any previous malicious activity, thus enhancing its detection capability. If the organization uses Notion as part of their workflow, this rule may cause false positives and might require tweaking or deactivation.