Technical summary: This rule detects ZIP attachments that contain exploits targeting CVE-2026-0866 by applying a YARA signature named zip_cve_2026_0866 to the archive contents. The detection flow starts by filtering attachments for ZIP files, then decompresses (file.explode) the archive to access inner files, and finally evaluates YARA matches against the extracted content. If a match with the rule name zip_cve_2026_0866 is found, the rule triggers a Malware/Ransomware alert with Exploit and Evasion tactics. The rule relies on archive analysis, file analysis, and YARA to identify known exploit payloads within compressed attachments. Since it depends on the existence of the specific YARA signature in the detection environment, updates to the rule set are essential to maintain accuracy. Potential limitations include password-protected archives that cannot be decrypted or analyzed, nested archives that exceed depth limits, and possible false positives if the signature is present in benign samples. Given the medium severity, this rule highlights a noteworthy risk vector through email or collaboration channels where ZIP attachments are common, and where CVE-2026-0866 could be weaponized by adversaries. Operator guidance includes blocking or quarantining the ZIP attachment, scanning endpoints for related indicators, reviewing gateway and EDR/YARA rule configurations, and ensuring the zip_cve_2026_0866 rule is current. Consider enabling deeper archive inspection with proper performance and privacy controls to improve coverage, and correlate findings with broader indicators of compromise to confirm exploitation attempts.