This detection rule identifies unsolicited emails that contain encrypted zip file attachments. The rule recursively scans incoming files and archives for zip file types, specifically focusing on those marked as 'encrypted_zip' by using YARA rules. It relies on several factors: first, it checks the attachment's file type or extension to confirm it is a zip; second, it evaluates whether the sender of the email is known or has a history of sending malicious or spam content. The rule also ensures that it does not trigger on common senders, enhancing its accuracy and reducing false positives. This approach helps in proactively identifying potential phishing attempts or malware distribution via encrypted attachments, which are often used by attackers to bypass security measures.