The detection rule identifies email attachments that are HTML files containing only a JavaScript block, a technique often employed in credential phishing and malware delivery. The rule focuses on attachments that have specific HTML file extensions (like .html, .htm, .shtml, .dhtml) or are recognized as HTML file types. To trigger the alert, the rule examines the contents of the attachment to ensure that it exclusively includes a <script> block. This is done through an analysis of the files' contents, where if there is only one string found in the file, it checks for the presence of a <script> opening and a corresponding </script> closing tag. This method effectively targets malicious HTML files that utilize scripting to obfuscate the content and execute harmful code, hence posing a medium-level threat. The rule leverages both archive analysis and file analysis techniques to maximize its effectiveness against evolving threats.