This rule is designed to detect and alert on HTML smuggling techniques, particularly those that use the JavaScript 'unescape' function. HTML smuggling refers to a method by which malicious actors embed HTML and JavaScript content within files or archives to bypass traditional security measures and deliver malware payloads. The rule recursively scans attached files and archives for indicators of this technique, including common HTML file extensions (such as '.html', '.htm', etc.) or recognized archive formats. It employs various detection methods like file analysis and JavaScript analysis to identify the presence of 'unescape' calls in the JavaScript code or within the strings of the scanned content. Given its high severity rating, this rule is crucial for environments potentially targeted by credential phishing and malware/ransomware campaigns, emphasizing the importance of scrutinizing incoming file attachments.