This detection rule identifies potential impersonation attempts through SharePoint by analyzing reply headers in email messages. It looks for anomalies in the reply characteristics of emails that seem to be responses to previous threads but lack common reply elements. The rule specifically checks for SharePoint formatted reply headers, which are expected but may show inconsistencies in corresponding subject lines and recipient patterns, indicating possible phishing attempts. The criteria employed include looking for standard phrases associated with shared content and ensuring that certain reply elements, such as 'RE:', 'FWD:', etc., are absent. It also analyzes the sender's email against recipient lists to ensure that the sender is not impersonating an actual recipient, as well as confirming the absence of a previous legitimate SharePoint conversation to mitigate false positives from reply chains. The rule further negates any bounce-back messages to focus on genuine potential threats.