This detection rule identifies suspicious file sharing links within email messages that contain common Business Email Compromise (BEC) subject lines, such as "immediately" or "urgent". The rule applies to inbound emails where the sender's domain is not from Google. It further excludes links from well-known file-sharing providers, like Dropbox, if they pass DMARC checks. The detection incorporates a variety of checks, including the sender's history of malicious activity and an analysis of the email header, sender address, and the URLs present in the body. This multi-faceted approach aims to flag potential BEC attempts leveraging free file hosts and social engineering tactics, ultimately enhancing email security by detecting and blocking potentially harmful communications before they reach users.