This detection rule identifies suspicious Excel files that contain a specific template identifier 'TM16390866' within their EXIF metadata. The rule applies to inbound messages that include attachments; it specifically checks for files with the .xlsx extension. The presence of this template identifier suggests that the Excel file may utilize malicious or specially-crafted templates, potentially for credential phishing purposes. The rule leverages Exif analysis, reading the EXIF metadata associated with the file to find the designated Template key and its corresponding value. The identified attack types include credential phishing, which is often associated with tactics like evasion and the use of macros to execute harmful code. As the severity of this threat is rated high, it emphasizes the importance of vigilance against files that may be hiding malicious content under the guise of legitimate formats.