This detection rule identifies suspicious usage of space characters within the RunMRU (Most Recently Used) registry paths in Windows. Typically, such patterns may suggest potential execution of phishing attacks that employ clickfix techniques to obscure malicious commands entered into the Windows Run dialog. Anomalous entries in RunMRU can indicate attempts to disguise harmful executables or scripts by leveraging space characters in a deceptive manner, thus evading casual inspection. The rule specifically looks for numerous variations of space characters, ensuring that any entry that attempts to manipulate the RunMRU through excessive whitespace is flagged as suspicious. Given the nature of the detection, false positives are unlikely, making this a valuable rule for enhancing endpoint security against execution-based threats.