This detection rule analyzes the creation of Remote Desktop Protocol (.rdp) files generated by Microsoft Outlook when a user downloads attachments. It is particularly relevant given the rise of spear-phishing campaigns orchestrated by threat actors such as Russia's APT29, who use .rdp files as a vector for initiating unauthorized remote access to victims' systems. The logic leverages Windows Event Logs to detect specific event IDs associated with file access and modifications. By monitoring the temporary directories utilized by Outlook, where these .rdp files are typically created, the detection rule aims to capture any suspicious activity that may indicate malicious intent. This provides security teams with the capability to identify potential lateral movement attempts and phishing-related incidents in their environments, thereby enhancing their threat detection and response posture.