This detection rule identifies potential HTML smuggling attacks involving HTML attachments that automatically download files via embedded JavaScript. The detection focuses on messages that include attachments with specific file extensions used for HTML content (.html, .htm, .shtml, .dhtml) or common archive formats. The key indicators inspected include JavaScript identifiers that suggest an attempt to automatically load or execute the content (e.g., using 'addEventListener' or 'click') which can signify user interaction deception. Additionally, the rule looks for specific patterns related to the JavaScript 'atob' function, which is commonly used for decoding base64-encoded strings in potentially malicious scenarios. By analyzing the structure and functions coded in the JavaScript within the HTML, the rule helps identify whether the attachment is being utilized for credential phishing or to facilitate malware deployment.