This detection rule targets messages that contain suspicious links to SharePoint shared folders. Specifically, it looks for links to folders that share a single file, where this file is either a .url file, has a filename in all uppercase letters, or includes urgent call-to-action language (e.g., 'Click Here', 'Download'). To qualify as suspicious, the detected messages must not originate from SharePoint itself, must be unsolicited or from a new or outlier sender, and should not belong to highly trusted sender domains unless they fail DMARC authentication checks. The rule implements various filtering capabilities, including header analysis and HTML content analysis, using complex regex patterns and logic to accurately identify threats. By assessing sender profiles and distinguishing between solicited and unsolicited emails, the rule aims to minimize false positives while effectively identifying phishing attempts that exploit SharePoint links.