This detection rule is designed to identify DNS queries to domains linked to the 3CX supply chain attack. It analyzes data from the 'Network_Resolution' datamodel, specifically focusing on Sysmon EventID 22, to pinpoint suspicious domain activity that could signify compromise from this attack vector. The 3CX incident is characterized by the distribution of malware through trusted updates, making the detection of these DNS queries critical for early intervention. If attackers successfully infiltrate the network, they could engage in data exfiltration, establish persistent access, or deploy further malware, potentially resulting in significant organizational impact and data breaches.