This rule focuses on detecting HTML smuggling techniques by recursively analyzing files and archives for specific indicators that suggest malicious intent. HTML smuggling is a technique where malicious payloads are delivered within HTML files, often using evasion techniques to bypass traditional security measures. The rule checks for files with common HTML extensions (such as .html, .htm, .shtml, or .dhtml) as well as files with high entropy, indicating potential obfuscation. Additionally, it looks for specific JavaScript functions (like fromCharCode, parseInt, and charCodeAt) within the strings of the file, which are commonly used in payload delivery. This analysis is further enhanced by scanning through the contents of archived files to pinpoint hidden threats, making it a comprehensive approach to identifying HTML smuggling attacks. Given the rising trend in banking malware that leverages such methods, this detection rule addresses significant risks associated with evasive exploitation tactics.