This rule detects the creation of recent file entries that link to ISO, IMG, VHD, or VHDX files, which are often used in phishing attacks. These file formats can be used to conceal malicious payloads and are typically mounted by users unwittingly downloading malware via email or other vectors. In enterprise environments, especially on workstations, it is unusual for users to mount such disk images, making this detection particularly relevant. However, it is acknowledged that there may be false positives, especially in server environments where legitimate mounting may occur. Administrators should review such alerts critically but be alerted to suspicious activities in the file creation space.