This detection rule identifies emails that contain encrypted zip file attachments related to payments, which may be used to deliver malicious content or to facilitate fraud. The rule employs a combination of key detection techniques, including checks for specific keywords in both the email body and the subject line that commonly accompany payment-related scams. It particularly focuses on recognizing patterns that indicate the presence of encrypted files, such as phrases related to passwords, encryption, and payment details. By utilizing regular expressions and string matching, the rule ensures that it captures relevant messages effectively while maintaining a high accuracy rate, focusing on messages that include zip files meant to avoid typical security scanning. This detection mechanism plays a vital role in protecting users from business email compromise (BEC) and related fraud schemes.