This detection rule addresses potential credential phishing attempts originating from GoDaddy federated tenants by monitoring inbound emails that notify users about shared SharePoint files. The rule is crafted to identify notifications via certain patterns in the message attributes, particularly focusing on the message ID and subject line, which matches known traits of phishing attempts. When detecting links within these emails, the rule checks if the links originate from a default name associated with GoDaddy's federated tenants (specifically those starting with 'netorg' on SharePoint's domain). Furthermore, it ensures that the sender has not had solicited email interaction previously, minimizing false positives by verifying there are no reported false positives associated with the sender profile. Given its operational parameters and targeted phishing context, this rule serves a low-severity purpose in an attack surface reduction strategy.