diff --git a/rules/proxy/proxy_ua_rclone.yml b/rules/proxy/proxy_ua_rclone.yml
new file mode 100644
index 000000000..706bc3437
--- /dev/null
+++ b/rules/proxy/proxy_ua_rclone.yml
@@ -0,0 +1,23 @@
+title: Rclone Activity via Proxy
+id: 2c03648b-e081-41a5-b9fb-7d854a915091
+status: experimental 
+description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
+author: Janantha Marasinghe
+references:
+   - https://rclone.org/
+   - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
+date: 2022/10/18
+tags:
+   - attack.exfiltration
+   - attack.t1567.002
+logsource:
+   category: proxy
+detection:
+   selection:
+      c-useragent|startswith: 'rclone/v'
+   condition: selection
+fields:
+   - c-ip
+falsepositives:
+   - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
+level: medium