This rule aims to detect the passing of uncommon compressed or archive files within an organization, as such behavior may signal malicious activity associated with phishing campaigns. The rule is designed for environments where the transfer of compressed files is rare. It specifically looks for attachments with file extensions associated with various archive formats such as tar, iso, img, cab, gadget, and uue. By utilizing inbound traffic as its data source, the rule employs archive and file analysis methods to identify potentially harmful files, which could lead to malware installation or credential theft. The identification of such files could provide early warnings of phishing attempts targeting the energy sector and similar industries. The significance of this rule can help enhance overall security posture by reducing the attack surface against common phishing and ransomware threats.