This rule is designed to detect phishing attempts that involve brand impersonation via PDF attachments containing credential theft language, particularly targeting users of Microsoft SharePoint. It leverages Optical Character Recognition (OCR) to analyze PDF files for high-confidence mentions of credential theft. The detection mechanism involves extracting attributes from the email such as the message's attachments and headers to verify if the email is unsolicited or originated from a low-reputation sender. It specifically checks for attachments that are PDFs and contain the SharePoint logo, while also scanning the text for signs of credential theft using a natural language understanding classifier. Additionally, the rule filters out legitimate SharePoint file sharing notifications based on specific message ID patterns and ensures the sender's reputation is inadequate. Various detection methods, including computer vision, sender analysis, and URL analysis, combine to enhance the accuracy of the rule in preventing phishing attacks related to SharePoint. Lastly, the rule is marked with a medium severity level, indicating a recognizable threat that requires vigilance.