This detection rule targets emails with attachments that include file scheme links referencing IP addresses, which often serve as indicators of potential malware distribution. It leverages a variety of file types, focusing specifically on certain file extensions categorized under common archives or those deemed suspicious. The rule further identifies attachments that do not specify a file extension, are labeled as 'unknown' type, have a content type of 'application/octet-stream', and do not exceed a maximum file size limit of 100MB. A critical aspect of the detection is the examination of the OLE properties within attachments to identify any relationships that present a file scheme, specifically pipelines that lead to external IP addresses. The rule deliberately excludes IP addresses that fall within private ranges defined by RFC1918. This is designed to minimize false positives from internal network traffic that would otherwise signal benign actions. Additionally, checks on the sender's profile are implemented to filter out potential false positives or to acknowledge any sender history involving malicious messages. Overall, this rule aims to effectively mitigate the risks associated with malware distributions via email attachments containing harmful links.