This detection rule monitors for potentially suspicious behavior involving browsers being launched from applications that typically handle document files, such as Adobe Acrobat, Microsoft Office, or other PDF readers. The rule is designed to detect scenarios where a web browser (like Brave, Chrome, Firefox, Edge, Opera, Maxthon, SeaMonkey, or Vivaldi) is initiated through a process related to document handling and subsequently interacts with web applications via HTTP or HTTPS. Such behavior could be indicative of phishing attempts, especially if users unexpectedly find a browser window open after interacting with known document reader applications. The context of this behavior is crucial, as it typically raises flags when a browser command line includes an HTTP request that was triggered by a document reader process, suggesting possible exploitation or malicious intent. Users are advised to investigate further, particularly the command line of any launched browser process, to establish whether the URL it accessed is benign or potentially harmful. Proper assessments of the risk level should consider user actions and system behavior leading up to the browser launch.