This rule is designed to detect incoming 7z archive file attachments that contain RAR files. The use of nested compressed formats like this can be an evasion technique commonly employed by adversaries to hide malicious payloads. The detection criteria specify that the file must have the .7z extension and be recognized as a 7z type. Additionally, the nested contents of the 7z file must include one or more RAR files. By analyzing the attachment’s file type and its contents through expanded archive analysis, this rule helps mitigate the risk of malware or ransomware delivered through such disguised formats. The rule highlights the importance of scrutinizing archive files, which are often overlooked but can contain significant security threats.