This detection rule targets the scenario where an email contains a link that initiates the download of an encrypted zip file, which in turn hosts disk image files in IMG, ISO, or VHD formats. These types of files are often associated with the delivery of Qakbot malware. The rule is structured to analyze links present in the email body, leveraging a variety of data points such as file types within the zip archives, sender profile characteristics, and any associated malicious activity. The profiling mechanism assesses the prevalence and reputation of the sender to identify potential threats effectively. The detection operates by executing a layered verification process that ensures the downloaded files meet the defined criteria of being encrypted zipped disk images, thereby flagging potentially harmful communications that could lead to malware infections. It employs various analysis techniques including archive, file, sender, and URL analyses, along with YARA rules to achieve this.