This detection rule targets potential HTML obfuscation attacks that utilize the ROT13 encoding scheme for JavaScript identifiers. Such tactics are often employed by attackers to evade detection by email security filters when delivering malicious content. The rule specifically monitors inbound emails for attachments—particularly those with HTML-related extensions (e.g., .html, .htm, .shtml)—as well as common archive formats. It inspects these attachments for the presence of coded JavaScript identifiers that include the string 'rot13'. Additionally, the rule mandates that the number of JavaScript identifiers found must be less than 100, further refining the criteria for flagging suspicious activity. The purpose of this rule is to enhance security measures against credential phishing and malware distribution attempts that rely on evading standard detection mechanisms through obfuscation techniques.