This detection rule aims to identify potential exploitation attempts of CVE-2024-21413, a critical remote code execution vulnerability affecting Microsoft Outlook. This vulnerability can be exploited through specially crafted messages that contain links using the 'file://' protocol, which can bypass Outlook's built-in security protections. The exploitation involves using regular expressions to determine if the URL provided in the message ends with a valid file extension followed by an exclamation mark, indicating a potential malicious intent associated with files hosted on attacker-controlled servers. Thus, this rule is critical in preventing unauthorized execution of code on user machines through email, highlighting the importance of scrutinizing how links are handled and processed in Outlook messages, especially when they deviate from standard web protocols. This proactive approach can help mitigate risks associated with malware delivery and ransomware attacks as outlined in the applicable attack types.