This rule is designed to detect potentially malicious emails that contain two attachments, specifically targeting social engineering tactics related to employment contracts. The rule identifies a PowerPoint file with a suspicious filename pattern where the letter 'o' is replaced with the numeral '0', creating variations such as 'Empl0yment'. The presence of such obfuscation methods may indicate an attempt to bypass filters or mislead recipients. Additionally, the message body must include text that claims an employment contract has been updated, specifically monitoring phrases like 'Your Employment Contract has being updated'. The detection is contingent upon the email containing exactly two attachments, one of which must be a PowerPoint file, identified by its '.pptx' extension. The detection method integrates content analysis to scrutinize the message body and file name against these criteria, contributing to the identification of possible malware or ransomware schemes that leverage employment-related scams.