This detection rule identifies instances of bidirectional text manipulation in HTML content, specifically the use of right-to-left (RTL) overrides. Attackers may exploit these techniques to obfuscate malicious links or instructions within text that normally would have been detected by standard string matching checks. The detection logic evaluates the body of the HTML content to count occurrences of RTL manipulation tags such as `<span style="unicode-bidi: bidi-override; display: inline-block;" dir="rtl">` and `<bdo dir="rtl">`. If the total count of these occurrences is three or more, it raises a potential flag for further investigation. Such tactics are often linked with phishing attempts, particularly in business email compromise (BEC) and credential harvesting scenarios, where deceptive text display can trick users into revealing sensitive information. By employing content and HTML analysis methods, the rule aims to enhance security by catching potentially malicious content that employs evasive formatting techniques.