This detection rule targets unsolicited .sap (SAP shortcut) files, which may be leveraged by attackers to execute malicious code on endpoints. The detection criteria involve analyzing inbound communications for attachments with a .sap file extension and determining if the source of the emails deviates from expected behavior. Specifically, it checks if the sender is not recognized as a trusted source or has previously sent malicious or spam content. The rule also incorporates a conditional verification against high trust sender domains to prevent false positives, particularly when they might have failed DMARC authentication. The severity of this threat is classified as low, reflecting its potential risk relative to other threats. If .sap files are received in a context outside of legitimate expectations, it triggers alerts for further investigation. This rule is critical for organizations utilizing SAP environments to maintain security against social engineering and malware exploitation through file attachments.