The rule "Downloaded Shortcut Files" identifies the presence of .lnk (shortcut) files that have been created in Windows environments, specifically those that were downloaded from external sources. Such files are commonly exploited by adversaries in phishing campaigns to execute malicious files or scripts. By focusing on file creation events for the .lnk extension, this rule assists in detecting potentially harmful shortcut files that may indicate a phishing attempt. A key feature is the monitoring of the Windows zone identifier; a value greater than 1 indicates that the file was downloaded from outside the local network, which raises the risk of it being a malicious file. The rule employs EQL (Event Query Language) to query the relevant logs, providing valuable insights into file creation activities that require further investigation.