The rule identifies the execution of a browser process that opens an HTML file characterized by high entropy and large size. Attackers often utilize seemingly benign HTML files to smuggle payloads past security mechanisms. The detection mechanism targets unusual characteristics in the HTML files, such as file size exceeding 150,000 bytes or entropy levels above 5, along with monitoring for specific browser processes that initiate these files, typically under common directories like Downloads and Temp. It also highlights fallback measures and potential benign scenarios that could lead to false alarms. The rule effectively flags potentially malicious activity and advises on investigation techniques, handling procedures, and potential whitelisting of known trusted applications or file paths. Mitre ATT&CK references are included to align the rule with recognized tactics like Initial Access and Defense Evasion.