This detection rule identifies potential command and control activity via Internet Explorer (iexplore.exe) being initiated through the Component Object Model (COM), a method adversaries may use to escape detection mechanisms. The rule monitors for instances where Internet Explorer starts unusually, specifically looking for its interaction with other processes like rundll32.exe or regsvr32.exe, which may indicate exploitation. Legitimate Internet Explorer-generated DNS queries connected to Microsoft domains are disregarded, focusing instead on any queries made to external domains that are not common for IO activity from Internet Explorer. Alerts triggered by this rule should be carefully analyzed, with a special focus on host and user activities and employing appropriate investigation and remediation strategies.