This detection rule scans incoming email attachments for disallowed file types contained within archives, including the capability to penetrate password-protected archives. It acknowledges a common tactic among attackers who often bundle malicious files within such archives to circumvent email security measures. The rule evaluates attachments by checking their file extensions against a specified list of file types that are explicitly blocked by major email services like Gmail and Microsoft 365. It also includes a recursive check to ensure that deeper files within archives (up to a specified depth) are scanned for potential threats, particularly those extensions deemed risky. The rule becomes more contextually relevant if the sender's profile indicates a new or outlier status or if they have previously sent malicious or spam messages, while simultaneously eliminating the chance for false positives by ensuring that the sender has no known history of false alerts. This multi-layered approach enhances the rule's effectiveness in identifying and mitigating potential malware threats that utilize archives as an evasion tactic.