This detection rule identifies instances where a user receives a Microsoft Protected Message (RPMSG) in which the sender and recipient email addresses are identical. It checks for specific conditions: the incoming message must have a file extension of '.rpmsg' or a content type indicating a Microsoft protected message. Additionally, the rule requires the embedded links in the body to point to the 'office365.com' domain, and to include query parameters that reference an Internet Message ID to ensure legitimacy. The primary focus is on cases where the message is sent from and received by the same user, which could signify potential credential phishing attempts. This type of phishing activity often uses social engineering techniques to con users into revealing sensitive information, so the rule emphasizes detection methods such as analysis of content, file headers, sender identity, and URLs.