The detection rule identifies connections made by Generative AI (GenAI) tools to unusual domains on macOS systems. This rule aims to uncover potential adversarial activities, where malicious actors can exploit GenAI tools through methods such as prompt injection, malicious Model-Compatibility Protocol (MCP) servers, or compromised plugins. These tools, while generally used for legitimate purposes, can also serve as conduits for command-and-control (C2) communications or the exfiltration of sensitive data if compromised. The rule analyzes network events, capturing instances where GenAI processes attempt to connect to domains that are not recognized as typical legitimate services, potentially indicating a compromise. Investigation guidelines encourage assessing the legitimacy of the destination domains, scrutinizing process command lines for triggers, monitoring registration dates of domains, and examining network traffic to determine the nature of the interaction. False positives may arise from normal updates and interactions of legitimate tools with new domains, necessitating careful analysis during alerts. In the case of verified malicious activity, immediate responses include blocking the domain and reviewing the configurations of GenAI tools for security breaches.