This detection rule is designed to identify messages that exhibit a specific behavior indicative of potential abuse involving SharePoint services. It specifically targets instances where the sender of an email is the same as the recipient, which raises flags for potential insider threats or self-phishing attempts. The rule focuses on emails containing a single SharePoint link that points to OneNote or PDF files, which are commonly used formats that might harbor malicious content. The message must also contain minimal attachments—limited to zero or one non-embedded attachment—to reduce false positives related to legitimate emails that typically include more attachments. Furthermore, the rule filters out messages sent via SharePoint notifications, indicated by specific patterns in the message ID, thereby honing in on potentially malicious behavior rather than benign automated communications. Employing various detection methods such as header analysis, URL analysis, and sender analysis, this rule aims to enhance security surrounding the use of SharePoint in organizations by flagging suspicious email traffic related to sensitive shared resources.