This detection rule targets potential credential phishing attacks that utilize SharePoint file sharing to deliver malicious files such as PDFs or OneNote documents. It analyzes incoming email messages for specific signatures, including message IDs that indicate SharePoint notifications, patterns in the body text, and subject lines featuring terms associated with file sharing. The rule employs sender analysis to identify suspicious email behavior, particularly if the sender's domain differs from 'sharepointonline.com' and verifies whether the email is solicited. If the sender is from SharePoint, the rule checks for unusual reply-to addresses, particularly newly created domains or free email providers, to determine if the interaction is authentic. Additionally, the detection logic examines any links within the email, ensuring they originate from SharePoint and conform to certain path structures that indicate personal shares or malicious file types.