This rule focuses on detecting potentially malicious HTML attachments that may utilize JavaScript for harmful purposes, specifically targeting HTML smuggling techniques. HTML smuggling typically involves embedding JavaScript code within HTML files that can dynamically create or manipulate resources, often leading to credential phishing or malware distribution. The detection is implemented by recursively scanning email attachments and archives for files with certain extensions associated with HTML. Notably, the rule checks if the attachment's size does not exceed 5000 bytes, reducing the likelihood of missing a threat hidden in smaller files. Specific scrutiny is given to files that include JavaScript identifiers, particularly the 'location' identifier, which can indicate attempts to redirect users or load malicious resources. The comprehensive methodology employed includes various analysis techniques like archive and content scanning, JavaScript and HTML analysis, thereby enhancing the effectiveness of detecting these threats.