This rule is designed to detect extortion and sextortion attempts specifically in email attachments from untrusted senders. It analyzes both the text of the email body and the contents of any attachments to identify signs of malicious intent, particularly focusing on threats involving financial exploitation. The rule utilizes language classification techniques to look for specific intent labels, such as 'extortion', and checks for financial-related entities. Furthermore, it employs various regex patterns to identify common phrases and malware terms synonymous with extortion tactics. If attachments are present, the rule applies Optical Character Recognition (OCR) for PDFs and images, searching for threats related to financial demands, explicit content, and coercive behaviors. It incorporates sender analysis to rule out false positives from solicited emails and examines the authenticity of the sender via DMARC checks. The combined analysis equips the detection system with a robust mechanism to flag concerning emails before they escalate into significant security incidents.