The rule focuses on identifying potential email-based threats by detecting embedded email headers within the body of the message. Attackers may use this technique in several ways, such as forwarding legitimate emails to spoof notifications or utilize copy-paste methods to construct phishing emails. The logic of the rule is based on the distinction between the plain text and HTML versions of the email body. It looks for specific headers that are expected to appear in email headers but not in the body content, such as 'Delivered-To:', 'X-Google-Smtp-Source:', and 'ARC-Seal: i='. If these headers are found in the plain text version but not in HTML, it raises a flag. Additionally, the rule also features conditions that filter out legitimate forwarded emails to avoid false positives, such as checking the references or reply-to headers. The sender's domain is also checked against a list of organizational and high trust domains to identify potential spoofing attempts. Overall, this detection rule is crucial for combatting various attack vectors, including credential phishing, business email compromise, and other forms of email fraud.