This rule detects HTML-based whitespace stuffing in inbound emails used to obfuscate credential phishing content. It targets messages that appear to be part of a direct (single-recipient) thread with a short initial message, and analyzes the email body for HTML padding patterns that push critical content below the visible fold. The rule looks for three padding patterns: (1) sequences of many line-break tags (<br/>), (2) repeated paragraph blocks containing non-breaking spaces, and (3) nested div wrappers containing line breaks. It also enforces a low visible text length to avoid legitimate long threads and requires at least one visible link to an external domain while keeping the total number of visible links under a threshold. High-trust senders with valid DMARC and unsubscribe-like patterns are excluded to reduce false positives. Detection methods include content analysis, HTML analysis, and header analysis. The rule is categorized under credential phishing with evasion and social engineering techniques and is intended to reduce user susceptibility by flagging deceptive HTML padding and short, high-risk lures in inbound messages.