This rule is designed to detect inbound email messages that contain HTML attachments characterized by an unusually high density of emojis. The detection methodology focuses on filtering messages based on specific criteria: it checks whether the attachments are of HTML file types or content types commonly associated with HTML formats, while also utilizing a regex pattern to count the number of emojis embedded within the attachment. If the number of emojis exceeds a threshold of 10, the rule then examines the sender's profile to determine if they are new, an outlier, or have a history of sending malicious or spam messages. Furthermore, the rule negates any alerts generated from highly trusted sender domains unless those domains fail DMARC authentication, thereby reducing false positives. Its associated attack types include credential phishing, and it employs tactics like evasion, HTML smuggling, brand impersonation, scripting, and social engineering. The detection methods include thorough analyses of the file, HTML, Javascript, and the sender, ensuring comprehensive coverage against potential phishing attacks.