This detection rule identifies the downloading of .url shortcut files from external sources on Windows systems, which are often used in phishing campaigns. The rule utilizes Elastic's EQL (Event Query Language) to monitor file creation events for files with the .url extension. It is configured to discern the network origin of these files by checking the Windows zone identifier value; a value greater than 1 indicates a non-local source. Additionally, the rule excludes events triggered by the 'explorer.exe' process to minimize false positives from legitimate user actions. The median risk score of 47 marks it as a medium-priority alert. The rule is enhanced with a comprehensive investigation guide detailing steps for triage, potential false positives, and response strategies to mitigate threats effectively.