This detection rule focuses on identifying potentially malicious EML file attachments in inbound emails that exhibit suspicious characteristics. The rule activates when an email has a single attachment, and it checks a variety of attributes within the email body and attachment. Specifically, it looks for instances where the sender's email is missing or where the HTML content length of the email body is relatively short (less than 300 characters). It further examines the attachment to ascertain indicators of phishing, such as the absence of sender details, minimal HTML content, and insufficient email header hops, implying non-standard email construction. Moreover, it takes into account the domain of links present in the email body, ensuring they do not belong to known legitimate domains, and evaluates if the sender's domain is deemed trustworthy by comparing it against a set of high-trust sender domains that should not fail DMARC checks. Profiles of the sender are also examined to avoid false positives, ensuring that previously identified malicious senders trigger the detection. Overall, the rule aims to mitigate credential phishing attempts facilitated through malicious email attachments.