This rule detects inbound messages that contain links to Google Cloud Storage (storage.googleapis.com) where the URL path ends with googledrive.html. Such URLs can be used to impersonate Google Drive and deliver malicious content or phishing payloads. The detection logic inspects the message body for links and validates two conditions: the link's domain must be storage.googleapis.com, and the path must end with googledrive.html. When matched, the rule raises a high-severity alert categorized under Credential Phishing, reflecting a tactic of impersonation and potential abuse of a free file hosting service to lure users into providing credentials or downloading malicious content. The approach uses URL analysis to identify suspicious links designed to masquerade as legitimate Google Drive resources. Potential false positives may occur with legitimate Google Drive URL wrappers, so contextual correlation with user activity and content is recommended for validation.