This rule is designed to identify and detect RDP (Remote Desktop Protocol) connection files within various types of file attachments, including those within compressed archives. The mechanism of attack involves deceiving users into connecting to an RDP server controlled by an attacker, potentially leading to unauthorized access and compromise of sensitive data or systems. The detection logic utilizes file extensions; it checks for files that directly have an '.rdp' extension or examines archive file formats known to contain RDP files. When scanning attachments, if any direct RDP files are found, or if an archive contains RDP files, the rule triggers an alert. This proactive measure is aimed at reducing the attack surface and preventing potential credential phishing and malware scenarios that could arise from RDP connections. It is important for organizations to deploy this rule to enhance their security posture against such targeted threats.