This detection rule focuses on identifying phishing attempts that abuse Microsoft Forms by impersonating Google. The rule specifically looks for inbound messages where the sender's email domain is 'email.formspro.microsoft.com' and that contains mentions of 'Google' or 'Gmail' in the sender's display name, paired with words commonly found in urgent notifications such as 'alert', 'warning', or 'notification'. Furthermore, it ensures that the message ID does not include known Google email identifiers to avoid false positives. The rule also identifies suspicious links in the message body, particularly those that do not belong to trusted domains, and scans for specific phrases that may indicate phishing attempts, including threats of account suspension or suspicious activity. The combination of these criteria allows the rule to effectively flag potential credential phishing attacks that deploy social engineering tactics through brand impersonation.