This detection rule identifies instances where an EML file contains an encrypted ZIP file attachment. The primary purpose of the rule is to uncover potential security risks that may arise when such files are received, as they can be used to deliver malware while evading traditional security scanning mechanisms. By examining inbound emails for EML format attachments, the rule leverages multiple filters to check if any of these attachments are ZIP files, followed by an additional check to ascertain if they are encrypted. This is accomplished through file analysis techniques, exploiting both YARA rules and zip scanning operations to flag encrypted entries. Given the prevailing use of encrypted ZIP archives in phishing or malware delivery tactics, this rule is strategically aimed at reducing the attack surface by providing an early warning of potentially malicious content within email communications. Despite the potential security implications, the rule is classified with a low severity level, suggesting that while the detection is critical, it does not independently indicate an immediate threat until further investigation is warranted.