This detection rule identifies the installation of developer-signed MSIX packages that do not have Microsoft Store signatures, which are indicative of potentially malicious activity. Recent threat intelligence has shown that numerous malicious MSIX packages used in cyber campaigns (associated with groups like FIN7 and various malware types) were solely developer-signed. Legitimate Microsoft Store apps have distinct publisher IDs, such as '8wekyb3d8bbwe' and 'cw5n1h2txyewy', which are absent in developer-signed packages. This rule specifically monitors EventID 855 within the Microsoft-Windows-AppXDeployment-Server/Operational logs, recording completed package installations. The detection is crucial for identifying suspicious developer-signed packages that could lead to security breaches, emphasizing the importance of signature verification in mitigating risks associated with untrusted software installations.