Attachment: Embedded VBScript in MHT file

type.inbound
and any(attachments,
        (
          .file_extension =~ "mht"
          or .file_extension in~ $file_extensions_common_archives
        )

        // ensure there's an mht file (if it's in an archive)
        and any(file.explode(.), .file_extension =~ "mht")
        and any(file.explode(.),
                any(.scan.html.scripts, .language == "VBScript")
        )
)