This detection rule identifies malicious PowerPoint attachments that contain suspicious hyperlinks known to execute arbitrary code when activated. The rule is triggered when any incoming messages have attachments with the file extensions .ppt or .pptx. The rule applies advanced analysis on the content of these files, specifically looking into the metadata via ExifTool to extract hyperlink information. It flags attachments that possess at least four of the specified malicious patterns found in the hyperlinks. The patterns include references that could facilitate code execution, file manipulation, or access to web services. Given the severity of the rule marked as high, the presence of such links may indicate potential malware or ransomware attacks, justifying the necessity for careful scrutiny of email attachments of this type. The detection method leverages Exif analysis and file analysis techniques to uncover hidden threats within PowerPoint presentations that could exploit these hyperlinks for harmful purposes.