This rule detects potentially malicious EML email attachments that contain links to SharePoint files with subdomains matching 'netorg'. The detection uses several filters to focus on relevant EML files, specifically those that contain exactly one attachment, and subsequently inspects the Great365 link structures within these attachments. By analyzing the embedded URLs, the rule identifies any suspicious redirection tactics that leverage the valid domain of SharePoint but misuse subdomain patterns consistent with known phishing strategies. The intent of this detection is to highlight potential credential phishing attempts, utilizing social engineering methods to impersonate a trusted brand and deceive users into clicking malicious links. The detection methods employed include extensive file and URL analysis as well as content parsing to ensure accurate identification of threats that may be disguised as legitimate documents.