This detection rule identifies encrypted Microsoft Office documents (including Word, Excel, PowerPoint, and Access files) that are sent from untrusted senders or from reputable domains that have failed DMARC authentication checks. The presence of such files may indicate malicious activities attempting to bypass standard security checks. The rule utilizes several conditions to evaluate incoming email attachments based on file extensions, content types, and sender domain trust levels. Importantly, it ensures that if an email comes from a high-trust domain, a failure in DMARC authentication will trigger the alert, as this could suggest an attempt at fraud or evasion. The rule performs file analysis, employs YARA for pattern matching against known threats, and conducts sender analysis to classify the risk level effectively.