This detection rule identifies email files, specifically .pst and .ost extensions, being created outside the designated Outlook directories. By utilizing the Endpoint.Filesystem data model, it tracks file creation events and filters results to locate email files that are not found in the typical Outlook paths "C:\Users\*\My Documents\Outlook Files\*" and "C:\Users\*\AppData\Local\Microsoft\Outlook*". The presence of such files outside the standard directories may indicate malicious activities such as data exfiltration or unauthorized access to email content, posing significant risks for data breaches or further exploits within an organization's network. The analytic is powered by Sysmon EventID 11 to capture filesystem activities that are pertinent to the detection. False positives may occur when legitimate users or administrators back up their emails by moving files to different locations, which the rule might also capture.