diff --git a/rules/windows/file_access/file_access_ripzip_attack.yml b/rules/windows/file_access/file_access_ripzip_attack.yml
new file mode 100644
index 000000000..b2f36c7ae
--- /dev/null
+++ b/rules/windows/file_access/file_access_ripzip_attack.yml
@@ -0,0 +1,25 @@
+title: RipZip Attack on Startup Folder
+id: a6976974-ea6f-4e97-818e-ea08625c52cb
+status: experimental
+description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains “{0AFACED1-E828-11D1-9187-B532F1E9575D}” meaning the folder shortcut operation.
+references:
+        - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
+author: Greg (rule)
+date: 2022/07/21
+modified: 2022/07/21
+tags:
+    - attack.t1547
+    - attack.persistence
+logsource:
+    category: file_access
+    product: windows
+detection:
+    selection1: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
+        - TargetFileName|contains: '\Microsoft\Windows\Start Menu\Programs\Startup'
+        - TargetFileName|contains: '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
+        - TargetFileName|endswith: '.lnk'
+    selection2:
+        - Image|endswith: '\explorer.exe'
+        - OriginalFileName: 'explorer.exe'
+    condition: all of selection*
+level: high