This detection rule targets the use of the `search-ms` URI protocol handler within HTML attachments, a technique identified in the wild (ITW) as a method for delivering malicious payloads. It specifically analyzes inbound messages to identify HTML files and inspects their content for the presence of URLs matching the `search-ms:query` pattern, which can indicate malicious intent when directing users to execute specific searches or retrieve harmful files. The rule is designed to be flexible and can be adapted for scanning not only HTML but potentially links in PDF attachments and message bodies as well. Given its high severity level, it signifies a strong threat likelihood, particularly focused on malware and ransomware attacks. Furthermore, it employs evasion tactics, making it crucial for detection methods that include file and HTML analysis to maintain effectiveness against evolving threats.