This rule aims to detect Microsoft One-Time Passcode (OTP) messages that contain a filename which matches the sending organization's name, specifically when utilizing SharePoint. The detection mechanism is based on several conditions: first, it verifies that the sender is from the Microsoft domain; then it checks for a specific structure in the message ID, ensuring that it aligns with the proper format for OTP messages. Additionally, the rule scrutinizes the email body for a particular phrase indicative of the OTP process. Finally, it extracts both the document name and the organization name from the message body to ensure they are identical. This pattern is often associated with credential phishing campaigns, where attackers use familiar branding to manipulate and deceive users into trust and engagement with fraudulent content.