This detection rule identifies potentially malicious AppX packages added to the Windows AppX deployment pipeline sourced from suspicious domains. Event ID 854 is monitored for instances where an AppX package's path contains URLs from a predefined list of known risky domains. The rule aims to mitigate the risk posed by attackers using these domains to distribute malicious applications via legitimate Windows mechanisms. This tactic is notably leveraged in supply chain attacks and can lead to unauthorized remote access and exploitation of compromised systems. As applications downloaded from such domains are flagged, administrators can take proactive measures to prevent malicious deployments and investigate further.