This rule identifies potential HTML smuggling attacks that may occur through unsolicited email messages containing HTML file attachments. Given that unsolicited emails can often contain malicious content, this rule is designed to specifically trigger an alert when any HTML files (with extensions such as .htm or .html or recognized as HTML file types) are detected in incoming attachments. The rule is contingent upon the nature of the sender, blocking HTML attachments if the messages from the sender are deemed unsolicited or flagged as malicious or spam. Adjustments can be made to broaden the inspection of HTML files to identify and flag suspicious code within the attachments. Additionally, messages from highly trusted domains are conditioned to pass through unless they fail DMARC authentication checks, which help further reduce false positives while maintaining security.