This detection rule targets phishing attempts through secure SharePoint file sharing mechanisms. The rule identifies when an email contains a SharePoint link that is protected and requires verification of the recipient before file access is granted. Such techniques are increasingly used by attackers to bypass automated security systems that analyze file contents. The rule utilizes multiple criteria: it checks for specific phrases indicating file sharing in the body of the email, verifies whether the SharePoint file is protected, ensures that the link originates from SharePoint, and assesses the sender's reputation. If the sender is categorized as new, rare, or an outlier, or if the sender has never communicated with the recipient organization, the rule flags this incident for further investigation.