diff --git a/detection-rules/attachment_powerpoint_generated.yml b/detection-rules/attachment_powerpoint_generated.yml
new file mode 100644
index 00000000000..a8f973df632
--- /dev/null
+++ b/detection-rules/attachment_powerpoint_generated.yml
@@ -0,0 +1,24 @@
+name: "Attachment: PowerPoint file generated with python-pptx library"
+description: "Detects PowerPoint presentations (.ppt, .pptx) or OpenDocument presentations (.odt) that contain strings indicating they were created using the python-pptx library, which may suggest automated generation for malicious purposes."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_extension in~ ("ppt", "pptx", "odt")),
+          //
+          // This rule makes use of a beta feature and is subject to change without notice
+          // using the beta feature in custom rules is not suggested until it has been formally released
+          //
+          any(beta.parse_exif(.).fields, .value == "generated using python-pptx")
+  )
+attack_types:
+  - "Malware/Ransomware"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Content analysis"
+id: "7bb3fb81-26a0-56e7-9eeb-880d41c12541"