This detection rule targets the threat of HTML smuggling, a technique utilized by attackers to deliver malicious payloads in the form of embedded base64-encoded files through HTML attachments. The rule identifies email attachments with specific file extensions associated with HTML (such as .html, .htm, .shtml, and .dhtml). A critical aspect of this technique is that the embedded links download files in a manner that bypasses traditional email and web filtering mechanisms, as the files are encoded directly within the document rather than sourced externally. This approach has been recently observed as a vector for delivering the Qakbot malware, a notorious threat in the realm of ransomware. The detection logic employs a combination of file extension checks and a regex pattern that matches HTML anchor tags containing base64 data URIs, indicating potential malicious content. The detection methods involve archive analysis, content analysis, file analysis, and specifically HTML analysis, making it a robust rule for identifying this sophisticated attack vector.