This detection rule identifies potentially malicious attachments that embed Visual Basic for Applications (VBA) macros, specifically those that contain encoded hex strings referencing executable files (EXEs). The detection process involves recursively examining all files and archives within inbound attachments, looking for specific file types based on their extensions. This includes searching for common macro file types, known archive formats, or files that match a set of criteria indicative of obfuscation tactics, such as having no recognized file extension or content type categorized as application/octet-stream while being under a certain file size limit. The rule employs methods like archive and file analysis alongside string matching techniques to uncover hidden executable calls within the encoded VBA scripts. This kind of behavior is often an indication of malware or ransomware attempting to execute obfuscated commands through seemingly innocuous documents, leveraging the common usage of macros in Microsoft Office documents as a means to bypass security controls.