This threat detection rule identifies potential masquerading attacks where malicious executables disguise themselves as legitimate business applications, an approach that attackers use to trick users into downloading malware. The rule specifically targets executable files found in user download directories on Windows operating systems that lack proper code signatures or have untrusted signatures. This is indicative of potentially malicious software posing as widely used applications, such as Slack, WebEx, Teams, Discord, WhatsApp, Zoom, and others. By leveraging the EQL (Event Query Language), the rule checks for executable files that match certain naming conventions but lack the developer's signature or have an untrusted signature, thereby identifying risky downloads that may compromise system integrity. It recommends several investigation steps to confirm suspicious behavior, including reviewing process names, checking code sign status, examining download sources, and analyzing network activity related to these executables. There are provisions for identifying false positives and suggested remediation actions in case of an incident, including isolation of the affected system and alerting the security operations team for further investigation.