This detection rule identifies potentially malicious compiled AppleScript files, specifically those with a double-extension format (e.g., .docx.scpt, .pdf.scpt). These types of files are used in cyberattack campaigns, often attributed to the Democratic People's Republic of Korea (DPRK). When double-clicked, such files launch in Script Editor, employing social engineering tactics to deceive users into running harmful scripts that may retrieve additional payloads. The rule leverages a combination of file attributes, ensuring that the detected files are not only compiled AppleScripts (with a .scpt extension) but also match certain trusted sender criteria while excluding trusted domains that pass DMARC authentication. The detection process includes checking files for certain characteristics such as their extension, type, size, and sender authenticity, which collectively help in recognizing threats posed by malware disguised in this double-extension file format.