This detection rule targets Cross-Site Scripting (XSS) vulnerabilities specifically within email subject lines, aiming to identify attempts that might exploit such weaknesses. The rule works by utilizing regex patterns to filter out not only straightforward XSS risks but also obfuscated indicators like encoded characters, HTML entities, and common JavaScript functions often employed in XSS attacks. To ensure reduced false positives, the rule bypasses messages from highly trusted domains unless those messages fail DMARC authentication checks. Notably, emails sent from Google Groups are also scrutinized even if they originate from trusted domains, allowing comprehensive protection against XSS threats while maintaining a balance with trust settings.