This rule detects unsolicited email attachments that utilize auto-executing macros, a tactic commonly exploited in phishing attacks to deliver malware upon opening the files. The detection criteria require that any attachments must either have a file extension associated with macros or be recognized as 'unknown' with specific attributes indicating potential malicious content, such as being of type 'application/octet-stream' and under 100MB in size. Furthermore, macro analysis is employed to ensure that the detected macros include keywords linked to automatic execution. The sender's profile is also examined to ensure that it is not solicited; if the sender has a history of sending malicious or spam messages without prior false positives, the rule would also trigger. Additionally, it includes checks for reply negation to avoid capturing legitimate responses. Overall, this rule serves as a safeguard against the prevalent threat of macro-based malware in unsolicited emails, thus enhancing email security.