diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml b/deprecated/windows/file_event_win_office_outlook_rdp_file_creation.yml
similarity index 97%
rename from rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml
rename to deprecated/windows/file_event_win_office_outlook_rdp_file_creation.yml
index 046310174..fabcab63a 100644
--- a/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml
+++ b/deprecated/windows/file_event_win_office_outlook_rdp_file_creation.yml
@@ -3,7 +3,7 @@ id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
 related:
     - id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
       type: derived
-status: experimental
+status: deprecated
 description: |
     Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
     This can be used to detect spear-phishing campaigns that use RDP files as attachments.
@@ -13,7 +13,7 @@ references:
     - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29
 author: Florian Roth
 date: 2024-11-01
-modified: 2024-11-03
+modified: 2025-07-22
 tags:
     - attack.defense-evasion
 logsource:
diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml b/rules/windows/file/file_event/file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml
new file mode 100644
index 000000000..3aaabb822
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml
@@ -0,0 +1,43 @@
+title: Suspicious File Created in Outlook Temporary Directory
+id: fabb0e80-030c-4e3e-a104-d09676991ac3
+related:
+    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
+      type: obsolete
+status: experimental
+description: |
+    Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
+    This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
+references:
+    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
+    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
+    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
+author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-07-22
+tags:
+    - attack.initial-access
+    - attack.t1566.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_extension:
+        TargetFilename|endswith:
+            - '.cpl'
+            - '.hta'
+            - '.iso'
+            - '.rdp'
+            - '.svg'
+            - '.vba'
+            - '.vbe'
+            - '.vbs'
+    selection_location:
+        - TargetFilename|contains:
+              - '\AppData\Local\Packages\Microsoft.Outlook_'
+              - '\AppData\Local\Microsoft\Olk\Attachments\'
+        - TargetFilename|contains|all:
+              - '\AppData\Local\Microsoft\Windows\'
+              - '\Content.Outlook\'
+    condition: all of selection_*
+falsepositives:
+    - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
index c9a07092e..3bd6f6098 100644
--- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
@@ -14,9 +14,10 @@ references:
     - https://twitter.com/malwrhunterteam/status/1235135745611960321
     - https://twitter.com/luc4m/status/1073181154126254080
     - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022-06-19
-modified: 2025-05-30
+modified: 2025-07-22
 tags:
     - attack.defense-evasion
     - attack.t1036.007
@@ -29,6 +30,7 @@ detection:
             - '.exe'
             - '.iso'
             - '.rar'
+            - '.svg'
             - '.zip'
             # - '.lnk'  # legitimate links can happen just anywhere
         TargetFilename|contains:
@@ -43,7 +45,9 @@ detection:
             - '.png.'
             - '.ppt.'
             - '.pptx.'
+            - '.rtf.'
             - '.svg.'
+            - '.txt.'
             - '.xls.'
             - '.xlsx.'
     selection_exe: