This rule detects unsolicited encrypted Microsoft Office file attachments, which typically use OLE2 formats. These encrypted files are often sent by malicious actors to evade detection by security products, making it crucial to monitor for such attachments in your environment. The detection is triggered if certain criteria are met: the source must be an inbound email, it must have attachments with specified file extensions or unknown types, and the attachment must be confirmed to have encryption indicators using OLE analysis. Furthermore, the sender's profile must either not be solicited or have a history of malicious or spam messages without false positives. Given that receiving encrypted attachments is not standard behavior for many organizations, this rule serves as an important alert, potentially indicating attempts to bypass security measures for the purpose of delivering malware or ransomware.