This detection rule focuses on identifying malicious HTML attachments that can potentially contain login portals, a common method used in credential theft attacks. The rule scans files and archives for specific indicators that suggest the presence of these login portals, including suspicious strings in JavaScript and other parts of HTML files. Critical conditions checked include the presence of keywords such as 'password', 'login', 'invalid', and 'incorrect' in the strings of the scanned files. Additionally, it looks for obfuscation techniques often used in phishing attempts. The rule also ensures that the sender's email domain's trust level is taken into account by checking against high-trust domains and organizational domains, while excluding trusted senders unless they fail DMARC authentication. This nuanced examination helps prevent false positives while effectively detecting potential credential phishing attempts via HTML attachments.