This rule identifies potentially malicious emails that include an EML attachment containing a base64 encoded script within the message body. It focuses on inbound messages and evaluates whether the body of the email thread is less than 1000 characters in length, thereby filtering out larger or potentially irrelevant messages. The rule specifically checks for attachments that either have a content type of 'message/rfc822' or a file extension of 'eml'. Additionally, it looks for any instances where the EML's HTML body contains a base64 encoded script, which is indicative of tactics used for phishing or malware delivery. To eliminate unnecessary noise, the rule excludes emails sent from known automated sources such as postmaster accounts or delivery status notifications. Therefore, this detection enhances the security against credential phishing through careful analysis of email attachments.