This detection rule aims to identify phishing attempts that impersonate Microsoft by utilizing HTML tables to create fake quarantine release notifications. It looks for specific patterns in the HTML content, such as the presence of Microsoft's logo manipulated via table layouts and references to Microsoft Exchange's quarantine system. The rule checks several criteria including the number of links in the message body, specific HTML tags, background colors that match Microsoft’s branding, and certain phrases commonly associated with phishing such as 'release', 'quarantine', and 'recover'. Additionally, it filters out messages from trusted Microsoft domains unless they fail DMARC authentication, thereby reducing false positives from legitimate communications. The attack type targeted by this rule is credential phishing, with tactics related to social engineering and brand impersonation.