This rule is designed to detect potential HTML smuggling attacks originating from new or untrusted email senders. It specifically focuses on inbound HTML file attachments, which may indicate malicious intent if such behavior is not typical within the environment. The rule applies to any attachment with an 'htm' or 'html' extension. It includes a sender profile analysis to check for new or outlier senders and considers if the sender has a history of malicious or spam messages. Additionally, to minimize false positives, it checks that none of the sender's previous messages have been marked as false positives. The rule also incorporates a check against a list of highly trusted sender domains, allowing exceptions only if the DMARC authentication fails for those domains. This rule's implementation helps to safeguard against phishing attacks that often utilize HTML smuggling techniques to bypass conventional security measures.