This detection rule identifies HTML files that are smaller than 100KB and contain suspicious content in the form of duplicated or padding text within HTML comments. It leverages regular expressions (regex) to assess the comments in an HTML document, specifically looking for phrases that are commonly duplicated, such as literary quotes or popular sayings. The rule employs a threshold where at least 50% of the identified comments must be duplicates or at least more than two comments should follow a common saying pattern. This approach is indicative of potential HTML smuggling techniques commonly used in credential phishing and malware distribution attacks, as attackers may obscure malicious content within benign-looking comments. The rule highlights a dual-check mechanism: it checks if comments match literary quotes or sayings and calculates their ratio, ensuring that files flagged exhibit suspicious behavior aligning with known attack vectors.