This detection rule identifies potentially malicious HTML files that are automatically downloaded via links contained in messages. The primary focus is on links that originate from low-reputation domains, including known free file hosts or shortening services. The rule employs a series of conditions that analyze the domain characteristics of the links to spot anomalies. Additionally, it inspects the contents of the HTML files for signs of HTML smuggling techniques, which involve using JavaScript functions such as 'atob()' and obfuscated code patterns that typically signal the presence of credential phishing attacks. The rule aims to filter out legitimate domains to minimize false positives while identifying high-risk content that could compromise user credentials or security. It leverages various methods of analysis including content, file, JavaScript, URL, and sender analysis to determine the maliciousness of the content effectively.