This detection rule identifies suspicious SharePoint links in emails, specifically when the domain of the link significantly differs from the sender's email domain. It uses both structural and content-based checks to determine the likelihood of phishing or fraudulent activities. The rule analyzes links contained in the email's body, focusing on specific file types (OneNote, PDF) and checking whether the subdomain of the SharePoint link deviates greatly from the sender's domain based on Levenshtein distance calculations. It includes validation against well-known high-trust domains, DMARC authentication results, and ensures the text content and links are kept within certain length limits to avoid overloading the detection engine. Overall, this rule is significant for protecting users against potential credential phishing attacks and social engineering tactics that exploit file sharing platforms like SharePoint.