This detection rule identifies the execution of .rdp files that are opened from the temporary directory used by Microsoft Outlook when handling email attachments. The context for this rule arises from observed tactics used in spear-phishing campaigns, particularly attributed to APT29, which use .rdp files to facilitate unauthorized remote connections. The rule utilizes event logging capabilities provided by the Windows operating system, specifically monitoring for event ID 4688, which relates to process creation. The detection logic checks for the presence of the .rdp file extension within specified locations in the user's AppData directory, focusing on paths that accommodate Outlook's operational behavior. When a match is identified, the event details are tabulated to provide insights on the time of event, host, user, and process information for potential follow-up investigations.