u/Outrageous_Till_8284

I am looking to see if anyone has any creative rules for trying to catch more of the drive share phishing attempts? We see a lot of phishing attempts where a docs file is shared with a large group of people, via the drive-shares-dm-noreply@google.com email, which cannot be explicitly blocked. I have played around with a few content compliance rules, none that were great. The idea is I would like to try and quarantine any inbound drive shares that appear to be phishing, whether that is too many recipients, etc. More just seeing what rules others have built to try and catch more of these pro-actively!