This rule is designed to identity potentially malicious VBA macros sent as email attachments from untrusted sources. It leverages an AI-based classifier named the 'Sublime Macro Classifier' to evaluate the attachments. The rule checks if the attachments are of a type that commonly contains macros (e.g., .xlsm, .docm) or if they are categorized with the content type 'application/octet-stream' with an unknown file extension and a size below 100MB. If the macro classifier determines that the macro is malicious with high confidence, this raises a flag for further investigation. The sender's profile is also analyzed to ascertain the prevalence of such messages, ensuring that only first-time and suspicious senders are accounted for, thus helping to reduce false positives. High severity is assigned to this detection due to the potential risk of malware or ransomware being delivered via these attachments.