diff --git a/detection-rules/attachment_any_sap_unsolicited.yml b/detection-rules/attachment_any_sap_unsolicited.yml
new file mode 100644
index 00000000000..8e338da4872
--- /dev/null
+++ b/detection-rules/attachment_any_sap_unsolicited.yml
@@ -0,0 +1,35 @@
+name: "Attachment: Any .sap file (unsolicited)"
+description: "SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment."
+references:
+  - "https://onapsis.com/blog/sap-shortcut-phishing-threat/"
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and any(attachments, .file_extension == "sap")
+  and (
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
+  and not profile.by_sender().any_messages_benign
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Scripting"
+detection_methods:
+  - "File analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "220ed3de-1b01-54a4-898d-6081785e2870"