This detection rule targets inbound emails that feature attached HTML files potentially harboring obfuscated JavaScript code containing suspicious identifiers such as 'atob' or 'decrypt'. The rule is designed to flag cases where the recipient's email address is found embedded within the JavaScript strings, indicating a higher risk for credential phishing attacks. Specifically, it analyzes HTML file types and checks for the presence of certain keywords and patterns that are characteristic of malicious attempts. The detection method includes a combination of archive, file, HTML, and JavaScript analysis techniques, focusing on files that are under 1 MB in size, which may contain user credentials or sensitive data obfuscation. Importantly, the rule also ensures that legitimate email encryption services by Cisco are excluded from triggering false positives, reinforcing the precision of the alerting system.