This detection rule targets HTML attachments with a hidden body element, a tactic commonly used in phishing attacks. The rule kicks in when an inbound email is received from a non-solicited sender or a senders domain that is not part of a set of high trust domains, particularly if the email fails DMARC authentication. It checks if any attachments have an 'html' file extension and uses regex to ascertain if the HTML code within the attachment begins with a specific hidden body style (display: none). Such tactics facilitate evasion of standard scrutiny by hiding malicious content in seemingly benign HTML files. This rule employs multiple detection methods including content, HTML, and file analysis to accurately identify potentially harmful HTML attachments.