This detection rule identifies when a user extracts a password-protected ZIP file on a Windows system. The rule specifically looks for events that indicate the use of Windows Shell's ZIP file handling feature, particularly focused on the Event ID 5379, which corresponds to the extraction of such files. The detection condition mandates that the action pertains to a ZIP file being accessed, excluding those stemming from the 'Temporary Internet Files/Content.Outlook' directory, which may indicate benign activity stemming from email attachments. The intention of this rule is to alert security teams of potential defense evasion tactics employed by attackers who utilize encrypted archives to conceal malicious payloads. As always, it is advisable to reconcile alerts generated by this rule with contextual analysis to avoid false positives, such as legitimate usage scenarios involving encrypted ZIP files.