This rule is designed to detect EML files that contain HTML attachments from unsolicited senders, thus mitigating the risk of HTML smuggling attacks. It identifies EML files by checking for attachments with the file extension '.eml' or a content type of 'message/rfc822'. The rule subsequently parses the EML files for the presence of HTML files, which may not always have the '.html' file extension. To minimize false positives, the rule accounts for hover file names containing '.htm', checks for file types that are categorized as HTML, and examines MIME types indicating 'text/html'. Additionally, the rule includes exclusions for common bounce-back and read receipt senders, as well as messages with certain subject lines indicative of automatic replies. Furthermore, the presence of specific reference headers or characteristics of solicited emails is also checked to affirm that the EML file is indeed unsolicited. The overall aim is to enhance security by reducing the entry points for phishing and malware threats present in unsolicited email attachments.