This detection rule targets spam emails that utilize hidden HTML elements and images to deceive recipients. Such emails often impersonate legitimate services, leveraging lures concerning account or membership expirations, as well as delivery notifications. The rule evaluates inbound emails, checking for solicitation from the sender and measuring the trustworthiness of the sender's domain via DMARC authentication headers. Given the characteristics typical of spam emails, several regex patterns check the structure of the HTML content within the email's body. These patterns search for centered images that are either directly linked or obscured by styles that hide content from standard view, ensuring that deception can be critically analyzed. The rule also takes into account the relationship between visible and hidden text, flagging cases where the hidden content vastly outweighs what the user can see. The findings pinpoint possible evasion tactics and manipulation methods commonly used in spam campaigns, enhancing the filtering of these threats across email systems.