This detection rule identifies macro-enabled files that embed MHT (MIME HTML) content, which can be used by threat actors to conceal malicious code. It looks for inbound attachments and checks if they have macro-enabled file extensions typically associated with malicious content. Specifically, it focuses on files that possess an '.mht' extension but are not classified as 'message/rfc822'. If such a file is detected within the attachments of an inbound event, this raises a medium severity alert. This detection is crucial as MHT files can be exploited for delivering malware or facilitating credential phishing attacks. The analysis methods involved include examining the archive structure, file properties, and the macros contained within the files, utilizing techniques of evasion and scripting to combat potential threats effectively.