Technical summary: This inbound rule flags attachments whose file extension is tar while the actual file type is rar. It uses the attachment metadata fields .file_extension and .file_type and triggers when any attachment satisfies file_extension == tar and file_type == rar. The detection relies on archive analysis and file analysis to verify the discrepancy between the extension and the file's internal format (magic numbers or headers). The objective is to detect evasion attempts where attackers rename a RAR archive to a .tar extension to bypass filters that rely on extension-based checks. When triggered, the rule raises a high-severity alert suitable for additional review or automated quarantine. Important considerations: Some legitimate scenarios could produce mismatches if a file is mislabeled or if tooling misreports file_type; ensure corroboration with additional heuristics, check for nested archives, and consider blocking or sandboxing such attachments until their contents are verified.