This detection rule identifies potentially malicious attachments in the form of self-extracting (SFX) archives that contain executable commands. The rule is designed to detect scenarios where attachments with specific file extensions, namely '.exe' and '.sfx', are received. Once opened, these archives can execute commands without the user's explicit consent, potentially leading to the execution of malicious payloads. The rule leverages pattern matching to identify specific strings within the SFX archives, such as 'CMT;The comment below contains SFX script commands' and 'Setup=*', which are indicators of potential malicious activity. This type of attack has been observed in real-world scenarios, showcasing the necessity to monitor and assess incoming attachments for hidden executable commands that may harm the system. The detection method utilized is file analysis, focusing specifically on attachment properties and the internal contents of the files to determine their malicious intent.