HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers
to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters.
This rule may be expanded to inspect HTML attachments for other suspicious identifiers.
Potential HTML smuggling attacks in unsolicited messages.
Use if passing HTML files is not normal behavior in your environment.
This rule may be expanded to inspect HTML attachments for suspicious code.