diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml
new file mode 100644
index 00000000000..6d38dd73492
--- /dev/null
+++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml
@@ -0,0 +1,28 @@
+name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender"
+description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender. "
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.current_thread.text) < 800
+  and regex.icontains(body.current_thread.text,
+                      '(shared.{0,30}with you|View Document)'
+  )
+  and any(body.links, .href_url.domain.domain == "lookerstudio.google.com")
+
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    and not profile.by_sender().solicited
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "dbb50cb4-171f-532b-b820-906be09d03d6"
+testing_pr: 909
+testing_sha: fe8827b2d60961d72d60d34efdf16e93f699bf33