This detection rule addresses the threat posed by adversaries who may exploit double extensions to hide the true nature of executable files disguised as common document types. It specifically looks for instances on Windows systems where files that are usually perceived as documents (e.g., .pdf, .jpg, .docx) are, in fact, executable scripts or files, leveraging the presence of three or more spaces or underscores before the file extension. This behavior is a tactic often utilized by threat actors to evade detection mechanisms by misleading users and systems into recognizing potentially harmful files as benign. The rule is relevant to various adversary groups, including APT28 and Sandworm Team, and aligns with the tactics of obscuring the nature of attack vectors within the context of the malicious execution of file types.