This detection rule identifies potential brand impersonation attacks targeting Microsoft SharePoint, commonly used for credential theft. It activates when an inbound message contains links, especially if it includes attachments like images or PDFs featuring the SharePoint logo. The criteria encompass various checks: attachment types are validated against known image and PDF formats, specific logo detection algorithms examine the presence of the SharePoint branding, and the rule searches for language indicative of credential theft, leveraging natural language understanding models. Other features analyzed include urgency indicators suggesting encryption, the prevalence of the sender's email domain, and filtering out trusted sender domains unless they fail DMARC authentication. Each of these aspects combines to raise alerts in scenarios where phishing threats are notably credible, thus assisting in proactive defense against social engineering tactics and brand impersonation attempts.