type.inbound
and any(attachments,
(.file_type == "zip" or .file_extension == "zip")
and any(file.explode(.),
any(.flavors.yara, . == 'encrypted_zip')
and .scan.encrypted_zip.cracked_password == null
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.