This rule detects the opening of password-protected ZIP files, specifically from email attachments in Outlook. When a user extracts an encrypted ZIP archive, it typically raises suspicion, as it can indicate potential malicious behavior such as evasion of standard security measures. The rule is designed to trigger on specific security event logs related to encrypted file extraction processes, primarily watching for EventID 5379, which corresponds to the extraction process initiated via the Windows Shell when interacting with ZIP folders.Watching for the extraction of files within the `Temporary Internet Files` directory of Outlook ensures that the rule focuses on potentially malicious email attachments. While there are legitimate uses for encrypted ZIP files, they can also be misused by attackers to circumvent detection, making this a valuable rule to monitor activity that could indicate phishing attempts or harmful payloads being executed.