This detection rule targets suspicious email patterns originating from sharepoint.com, specifically messages with undisclosed recipients. The primary objective is to identify attempts at credential phishing or malware distribution where compromised accounts leverage legitimate file sharing services to send malicious links. The rule examines emails for certain indicators: the presence of 'Undisclosed recipients' in the recipient list, specific language in the email body indicating file sharing, and the sender's domain being sharepoint.com. The detection includes looking for threads with phrases such as 'shared a file with you', 'shared with you', and 'invited you to access a file' alongside an analysis of links included in the email body. This approach helps to flag potentially harmful messages that may evade standard security measures, thereby reinforcing email security against such threats.