type.inbound
and any(attachments,
// its a rar file
(
.content_type == "application/x-rar-compressed"
or .file_extension == "rar"
or .file_type == "rar"
)
// less than 10 meg
and .size < 10000000
// explode it
and any(file.explode(.),
// contains a yara match
any(.scan.yara.matches, .name == "WinRAR_CVE_2025_8088")
)
)
Playground
Test against your own EMLs or sample data.