This detection rule identifies EML (Email Message Format) files that contain links to IPFS (InterPlanetary File System). The significance of this rule lies in the increasing reports of IPFS being utilized for hosting phishing sites, which raises concerns about the integrity and safety of email attachments that leverage IPFS links. The rule leverages several conditions to detect potentially malicious EML attachments. It specifically looks for EML files (identified by their MIME type of 'message/rfc822') and then examines the URLs contained within these files. The detection mechanism checks if any embedded links include the term 'ipfs', either in the URL structure or path. Additionally, it considers the domain of the links to prevent false positives from legitimate high-reputation domains. The rule is built to avoid common domains that are well-known and trusted, reflecting a robust approach to minimizing false detections while maximizing the identification of genuinely harmful links.