This detection rule identifies incoming emails containing archives that house HTML files with 'file://' scheme links. These types of files pose a risk as they may point to SMB servers, enabling attackers to exfiltrate NTLM hashes from user systems when the files are opened. The technique is associated with threat actor group TA577, known for using such methods in credential phishing campaigns. The rule employs multiple checks on attachments, focusing specifically on common archive formats to ensure that potentially malicious HTML files are flagged. It evaluates various attributes including file extensions, MIME types, and URL schemes, integrating sender profiling to filter out unsolicited and potentially malicious emails.