This detection rule targets unsolicited HTML files embedded within archive files, which is a common tactic used in malicious campaigns to evade detection. The rule operates by recursively scanning archive files for any HTML files (.html or .htm) that are sent from unknown or suspicious sources. It incorporates an analysis of the sender’s profile to assess whether they are a recognized and solicited contact, as well as checking past interactions for any malicious or spam messages. If the sender is either unknown or has been flagged for previous malicious activity, the detection is triggered. This detection strategy is crucial because HTML files can often be used for tactics such as HTML smuggling, which further emphasizes the need for thorough archive analysis. By embedding potentially harmful files in archives, attackers can circumvent traditional security measures that might scan individual files in isolation, which makes this rule essential for enhancing organizational defense against various attacks, especially those related to credential phishing and malware distribution.