This detection rule aims to recognize potentially malicious messages that utilize file sharing pretexts to phish for credentials. The rule specifically looks for messages containing a minimal number of links—specifically just one—that redirect to suspicious domains associated with self-service file sharing platforms or URL shorteners. Key criteria include: the email's body text must include topics that are related to file sharing, the display text of the link must correlate with the email subject, and the message must not contain any previous threads or PDF attachments, which are commonly used in phishing attempts. The rule also filters out links that employ certain visual cues (like Google icons) that are typically used by legitimate services to convey authenticity. By combining these checks with multiple content analysis techniques, it enhances detection for threats aiming to deceive users via social engineering tactics.