This analytic rule aims to identify instances where the `outlook.exe` process writes `.zip` files to the disk, indicating potential malicious activity such as data exfiltration or malware delivery. Utilizing data from the Endpoint data model, the rule monitors specific Sysmon events linked to process executions and filesystem changes. The detection logic encompasses a search query that checks for `outlook.exe` execution followed by any creation of a `.zip` file within specified directories. Given the nature of email applications like Outlook, such behavior could suggest that an attachment is being used maliciously, leading to unauthorized access to sensitive data. Therefore, confirming the context of the activity is essential to mitigate risks associated with potential malware or data breaches.