This detection rule identifies potentially malicious HTML attachments that contain JavaScript functions capable of making HTTP requests, which are often used in phishing campaigns to load harmful payloads. The rule operates by analyzing inbound email traffic, filtering out emails from solicited sources, particularly focusing on unknown or untrusted senders. It checks if attachments are HTML files, specifically looking for certain JavaScript functions and patterns in the parsed HTML content. Specifically, the rule triggers an alert when at least three specific JavaScript-related strings are found, indicating a potential phishing attempt. In particular, it examines for functions like 'XMLHttpRequest', 'send()', and 'responseText', which commonly suggest that the HTML file could be loading remote resources or executing undesirable scripts. High severity is assigned due to the potential risk of credential theft associated with such phishing tactics.