This detection rule identifies potentially malicious email attachments by checking their SHA256 hashes against a curated list from the MalwareBazaar platform, specifically those reported by trusted reporters. It focuses on emails received from untrusted senders and incorporates sender profile analysis as a critical component. The rule is triggered when an email contains attachments with a SHA256 hash matching those in the MalwareBazaar list. Further conditions are applied: if the sender’s profile indicates newly detected senders or those categorized as outliers, the alert will trigger. Additionally, if the sender has been associated with any malicious or spam messages without any reported false positives, the rule will also initiate an alert. This layered approach enhances the accuracy of malware detection by using both threat intelligence and nuanced sender analysis, ultimately aiming to mitigate risks associated with malicious file attachments in email communications.