This rule is designed to detect the presence of malicious HTML files within email attachments that may be used for credential phishing. It identifies HTML content that references the recipient's email address, which is a common tactic used by attackers to convince users that the email is legitimate. The rule employs multiple checks, looking for HTML file types including .html, .htm, and .shtml, among others. Additionally, it scans the file's content for suspicious Javascript patterns, such as those indicative of HTML smuggling. Specifically, it checks for the presence of numerous JavaScript identifiers resembling obfuscated code patterns (notably those starting with '_0x'). The detection mechanism includes thorough content analysis, file-type validation, and exploitation of YARA rules to identify harmful JavaScript code. Overall, it aims to prevent phishing attempts by identifying high-risk email attachments before they can compromise user credentials.