The rule detects potential exploitation of the critical vulnerability CVE-2024-21413 in Microsoft Outlook, which allows remote code execution through malicious email links. This vulnerability can be exploited merely by opening an email, thus bypassing the application's Protected View without requiring user interaction. With this flaw, attackers can execute high-privilege actions and steal sensitive NTLM credentials by using crafted Office documents. The detection rule focuses on identifying outbound SMB connections initiated by Outlook (process name: outlook.exe) to flag any occurrences of this vulnerability being exploited. If outbound SMB traffic is detected from Outlook to non-local IP addresses, it suggests that the exploit may have been successfully executed. The rule utilizes Splunk to analyze endpoint data and filter for specific Event Codes related to SMB connections, while also accounting for the IP address ranges typically associated with internal networks to reduce false positives from legitimate activities.