This rule aims to detect the extraction of password-protected ZIP files with potentially suspicious filenames that could indicate a malicious intent. It specifically looks for instances where the Windows Security event ID 5379 is logged, which corresponds to the opening of files within the 'Microsoft_Windows_Shell_ZipFolder'. To further focus on potentially malicious activity, it filters for specific keywords commonly abused by threat actors, such as 'invoice', 'new order', 'rechnung', 'factura', 'delivery', 'purchase', 'order', and 'payment'. This rule could identify situations where attackers leverage legitimate file formats to bypass security measures and engage in command-and-control activities or evasion tactics. Note that legitimate uses of encrypted files might lead to false positives, requiring security teams to investigate the context of detections carefully.