This detection rule identifies malicious HTML attachments that use base64 encoding to obfuscate ZIP or Office files. The technique leverages JavaScript functions like `atob`, `fromCharCode`, or `base64` to decode the payload on the client side, potentially allowing malware or other harmful content to bypass security checks. The signature of this method is pinned down by checking for specific file extensions associated with HTML content and looking for typical JavaScript decoding patterns in the file's text. Furthermore, the rule checks for the presence of magic bytes indicative of a ZIP or Office file format that has been base64-encoded. In addition, a negation condition is included to filter out valid encoded content from Micro Focus Voltage Secure Messaging, reducing the likelihood of false positives.