This detection rule identifies brand impersonation tactics associated with file-sharing notification messages that utilize template artifacts common in phishing attempts. The rule effectively recognizes messages that include the phrase 'shared with you' while searching for specific abnormalities within the HTML body of the message. Indicators of compromise include placeholder comments, incomplete HTML elements, and other remnants of a generic template used for nefarious purposes. The rule checks for the presence of brand logos from trusted services such as Microsoft, Dropbox, or Google through machine learning-based image detection, ensuring high confidence in the authenticity of logos embedded within the message. It also leverages HTML analysis to find broken or suspicious links, the presence of 'ai-esque' comments, and other signs that suggest the message is crafted from a malicious template rather than a legitimate communication. An additional measure involves checking if the message sender is using known legitimate email addresses for service notifications and whether the DMARC (Domain-based Message Authentication, Reporting & Conformance) check passes. Alerts are generated when multiple indicators align, especially when combined with high-confidence intent classifications suggesting credential theft or business email compromise (BEC).