This rule is designed to detect potential phishing attempts where a single recipient's second-level domain (SLD) is concealed within HTML class attributes in incoming messages. It focuses on emails sent to users of an organization from unauthenticated senders or untrusted sources. The detection logic first verifies that the email originated from an untrusted domain that has failed DMARC validation, ensuring that legitimate senders who pass DMARC are excluded from scrutiny. The rule checks if there is exactly one recipient in the organization and if there are more than 30 HTML class attributes containing the recipient's SLD. It looks for patterns in these class attributes, particularly those starting with 'x_hz', which indicates concealment techniques often associated with phishing. Additionally, it rules out replies and considers sending domains with high trust only if they have failed DMARC authentication. The attack types targeted by this rule include credential phishing, and it employs tactics such as evasion and social engineering to deceive recipients.