This detection rule is designed to identify potential phishing attempts involving ISO files that are embedded within archive files (such as those created by 7Zip or WinRAR). Phishing actors often use this technique to bypass email security filters, disguising malicious executable files in a compressed format. The rule specifically focuses on processes initiated by known archiving tools (WinRAR, 7Zip, PeaZip) when they attempt to open an ISO file or similar image formats (like those used by ImgBurn and PowerISO). By monitoring process creation events where an archiver interacts with these file types, the rule aims to identify suspicious behaviors characteristic of phishing campaigns. False positives may occur in legitimate scenarios where users interact with ISO files in a typical workflow; therefore, proper contextual analysis is necessary to distinguish between legitimate actions and potential threats.