This detection rule identifies potentially malicious HTML smuggling attempts through email attachments. It focuses specifically on emails containing HTML files that are either direct attachments or inside compressed archives (such as .zip files). The rule targets messages where the HTML or related files are relatively small (less than 10KB) and contain a limited number of strings (fewer than 20). A key indicator of the threat is the presence of recipient email addresses within the HTML content, which could suggest phishing activities. The rule also includes checks to negate false positives from bounce-back messages and other non-malicious content types, such as delivery status notifications. Overall, the detection mechanism combines file size, content validation, recipient analysis, and advanced filtering to accurately recognize threats related to credential phishing and potential malware/ransomware. It is categorized under attack surface reduction and utilizes various methods like file and archive analysis, as well as sender scrutiny for defensive measures against HTML-based exploitation.