This detection rule identifies messages that contain CMD file attachments, which are often used maliciously to execute system commands and deliver malware. The rule checks for inbound messages with attachments, ensuring that it only triggers when there are attachments present. It identifies filenames ending with the '.cmd' extension directly, or CMD files contained within compressed archives. The rule leverages a combination of filename checks and archive extraction techniques to ensure comprehensive detection of potentially harmful CMD files, thereby helping to mitigate the risks associated with unauthorized command execution via email attachments.