diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml
new file mode 100644
index 00000000000..236d94bf693
--- /dev/null
+++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml
@@ -0,0 +1,39 @@
+name: "Attachment: HTML smuggling with decimal encoding"
+description: |
+ Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and any(attachments,
+ (
+ .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
+ or (
+ .file_extension is null
+ and .file_type == "unknown"
+ and .content_type == "application/octet-stream"
+ )
+ or .file_extension in~ $file_extensions_common_archives
+ or .file_type == "html"
+ or .content_type == "text/html"
+ )
+ and any(file.explode(.),
+ // suspicious identifiers
+ any(.scan.strings.strings,
+ regex.contains(., '(\d{2,3},){60,}')
+ )
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"