This detection rule identifies potential phishing attempts that impersonate Microsoft by analyzing the presence of low-reputation links in emails. The rule considers various attributes of the links, such as their domains, if they belong to known free hosting services, or if they are short URLs. It also checks if certain common indicators of phishing, including suspicious formatting and specific keywords, exist in the email's body or attachments. The rule utilizes multiple detection methods, including analyses of images for the Microsoft logo and using Natural Language Understanding to classify the content contextually. Notably, it excludes legitimate Microsoft domains and certain benign scenarios to reduce false positive rates.