This detection rule identifies attempts to use the `ms-appinstaller` protocol handler via command line, which may indicate the process of downloading arbitrary files through the AppInstaller.EXE application on Windows systems. This protocol can be exploited by malicious actors to fetch files from potentially untrusted sources, posing a security risk. The downloaded files are temporarily cached in a specific directory within the user's AppData, suggesting that monitoring for such activities could help in mitigating unauthorized file downloads. The detection logic focuses on command line arguments that contain the `ms-appinstaller://?source=` prefix followed by URLs, indicating a download request. The rule is currently under testing and is classified with a medium severity level. It is intended for environments where monitoring office-related downloads and application processes is critical, especially in scenarios where users have elevated privileges that could facilitate malicious downloads.