This rule detects the use of Qakbot malware employing double Base64 encoding for zip files embedded within HTML smuggling email attachments. Qakbot is known to exploit this method to obscure malicious content from basic security analysis, which includes using predictable file header strings in the HTML content. The detection mechanism focuses on identifying email attachments where the file extension is HTML (html or htm) and checking for any occurrences of specified Base64 encoded patterns that indicate the presence of a double encoded zip file. By examining the sender's profile, the rule targets new or outlier senders and excludes known false positives, enhancing the reliability of detection against this sophisticated email-based attack vector. Multiple Base64 strings are preset in the detection criteria, ensuring comprehensive monitoring for malicious attachments.