This rule detects attempts to utilize file extension spoofing through a technique known as Right-to-Left Override (RTLO). The RTLO character allows malicious actors to manipulate the representation of filenames in a way that can mislead users or security systems about the actual file type. Specifically, this detection rule monitors for filenames containing the RTLO character (U+202E), as well as specific, potentially spoofed file extensions such as 'fpd..', 'nls..', 'vsc..', 'xcod.', and 'xslx.'. When both conditions are met, the rule triggers an alert, indicating a high level of confidence due to the significant risk of malicious intent associated with such filename manipulations. False positives may occur with legitimate filenames in languages that utilize right-to-left scripts, such as Arabic or Hebrew, so context is important in evaluating detections.