This detection rule focuses on identifying potentially malicious Windows library files (with the .library-ms extension) that contain network paths which could be exploited to leak NTLM hashes to attackers. These library files may be sent as direct attachments or compressed within archive files. The rule scans files for specific characteristics: direct attachments must have a .library-ms extension and contain a specific URL pattern in their text, while files compressed in archives must also be .library-ms with similar URL content. The detection plays a critical role in safeguarding Windows environments from credential phishing attacks that leverage exploits via this vulnerability. The rule employs various detection methods, including archive analysis and file content analysis, to ensure comprehensive detection.