diff --git a/insights/attachments/encrypted_zip_attachment.yml b/insights/attachments/encrypted_zip_attachment.yml
new file mode 100644
index 00000000000..86d56f03df2
--- /dev/null
+++ b/insights/attachments/encrypted_zip_attachment.yml
@@ -0,0 +1,12 @@
+name: "Encrypted zip attachment"
+type: "query"
+source: |
+  any(attachments,
+          (.file_type == "zip" or .file_extension == "zip")
+          and any(file.explode(.),
+                  any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
+          )
+  )
+severity: "low"
+tags:
+  - "Suspicious attachments"
diff --git a/insights/attachments/encrypted_zip_inside.yml b/insights/attachments/encrypted_zip_inside.yml
index 6a6958e7afa..efd5385dd69 100644
--- a/insights/attachments/encrypted_zip_inside.yml
+++ b/insights/attachments/encrypted_zip_inside.yml
@@ -1,4 +1,4 @@
-name: "Files inside encrypted zip"
+name: "Files inside zip attachment"
 type: "query"
 source: |
   map(filter(attachments, .file_extension == "zip"),