diff --git a/detection-rules/attachment_7z_archive_containing_rar_file.yml b/detection-rules/attachment_7z_archive_containing_rar_file.yml
new file mode 100644
index 00000000000..742b29f6731
--- /dev/null
+++ b/detection-rules/attachment_7z_archive_containing_rar_file.yml
@@ -0,0 +1,23 @@
+name: "Attachment: 7z Archive Containing RAR File"
+description: "Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats."
+type: "rule"
+severity: "medium"
+source: |
+    type.inbound
+    and any(attachments,
+            (
+              .file_extension in~ $file_extensions_common_archives
+              and  .file_type == "7z"
+            )
+            and any(file.expand_archives(.).files, .file_type == "rar")        
+    )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+id: "1a629bb4-931a-5395-bf22-da327d224d3c"