This detection rule targets phishing attempts that impersonate Google Account notifications. It specifically looks for emails that appear to come from the official Google sender, `no-reply@accounts.google.com`, while containing links that redirect users to free file hosting services. The rule employs a combination of header, URL, and sender analysis methods to detect potential attacks. By examining incoming email type and validating the sender's address, the rule aims to identify fraudulent messages attempting to deceive users into clicking malicious links. The attack primarily falls within credential phishing, utilizing impersonation tactics that exploit brand trust and social engineering techniques. The use of known free file host domains further increases the likelihood of malicious activity as these services are frequently used to share inadvertently compromised credentials or other sensitive information. Alerts generated by this rule provide a critical defense against user exploitation in email environments.