This rule is designed to detect MSI (Microsoft Installer) files by scanning through files and archives recursively. The primary intent behind this detection is to prevent social engineering attacks where an attacker may disguise a malicious MSI file as an IT support or software update request, persuading the target user to execute it. If an MSI file is executed, it could lead to the execution of harmful code on the user’s system, presenting a significant security risk. The rule incorporates multiple detection methods, including both archive analysis and direct file analysis, to effectively identify potentially harmful attachments. The severity of the threat is rated as medium, and the rule applies to situations where attachments are present, particularly those with the MSI file extension, or when they are embedded within common archive types that may contain MSI files as payloads. It employs a logic structure to capture various scenarios where MSI installers might be involved in an attack, thus enhancing the overall detection capabilities.