Technical summary: The rule monitors inbound communications for ZIP attachments. It filters for attachments with file_type 'zip', explodes the archive, and performs a YARA scan on the extracted content. It matches only when a file inside the ZIP triggers the YARA rule named 'zipline_delivery_telekom', which maps to observed ZipLine campaign artifacts described by Telekom Security. A positive match indicates a likely ZipLine delivery containing payloads (including LNK-based components) used in the campaign. The rule uses archive analysis and content analysis as detection methods and relies on threat intelligence context tying to ZipLine. It raises a medium severity alert categorized under Malware/Ransomware when the inner content matches the observed artifacts.