This detection rule identifies potential HTML smuggling attacks via calendar invite files (.ics). By monitoring inbound emails, the rule inspects attachments for specific HTML and JavaScript characteristics that are commonly associated with malware delivery. It checks the entropy level of the file, ensuring that it exceeds a threshold indicating potential obfuscation techniques. The rule particularly looks for the usage of the 'atob' function in JavaScript context, which is commonly associated with decoding base64 encoded strings, often used to disguise malicious content. Additionally, the rule filters out certain known good domains and undeliverable messages to minimize false positives, ensuring it concentrates on legitimate threats. Overall, it combines file analysis, HTML and JavaScript parsing methods, and sender verification to detect fraudulent attachments likely to be involved in credential phishing or malware distribution.