This detection rule focuses on identifying the creation of files with a ".rdp" extension in the temporary directories related to Microsoft Outlook when it processes email attachments. The presence of these files can indicate potential spear-phishing activities, particularly when RDP files are included as attachments. The rule captures file events specifically within directories associated with Outlook's handling of attachments, allowing security teams to detect and respond to this threat effectively. By monitoring the creation of these files, organizations can mitigate risks associated with malicious RDP file usage, especially in targeted attacks that leverage email as a vector.