This detection rule is designed to identify phishing attempts that employ ZIP files containing embedded CHM (Compiled HTML Help) files, which have been associated with malicious behaviors such as executing VBScript. It recursively scans files and archives to detect any CHM files, utilizing specified file extensions typically associated with common archive formats (.zip, .rar, etc.) as indicators for analysis. The rule is tied to the UNC1151 threat group, known to engage in these types of attacks against state organizations in Ukraine, as reported by CERT-UA. Given its medium severity, the rule employs archive and file analysis techniques to reveal potential malicious content hidden within common file formats, thereby enhancing organizational defense against such evasion tactics. By analyzing incoming attachments and exploiting the commonality of ZIP files, it aims to provide timely alerts on potential threats.