This rule detects potentially malicious messages that exhibit characteristics of business email compromise (BEC) or credential theft, specifically focusing on communications relating to file sharing and cloud services. The detection mechanism utilizes natural language understanding (NLU) to identify relevant topics and intents with high confidence levels. It checks for links in the message that have document-related display text and are directed towards low-reputation domains outside the sender's organization. Additionally, it incorporates multiple conditions to evaluate the context of the message, such as suspicious sending patterns, recipient visibility, and the presence of trusted vs. untrusted sender domains. The rule excludes legitimate document sharing services to reduce false positives, and it addresses the possibility of undelivered or hidden recipient scenarios. By employing advanced analysis techniques—such as URL and header analysis—this rule serves to protect organizations against phishing and impersonation threats involving file sharing.