This detection rule aims to identify the use of Microsoft Background Intelligent Transfer Service (BITS) connections to IP addresses instead of fully qualified domain names (FQDNs). The use of BITS can indicate malicious behavior, particularly in cases where an attacker uses it to download payloads through direct connections to IP addresses that may not be easily traced back to legitimate domains. The rule checks for certain user-agent strings that start with 'Microsoft BITS/' in combination with host addresses ending with numerical digits, which typically indicate an unconventional or potentially suspicious destination. Detection is categorized under high severity due to the implications of command-and-control activity and persistence mechanisms that may circumvent traditional security measures.