diff --git a/detection-rules/attachment_html_with_long_timeout.yml b/detection-rules/attachment_html_with_long_timeout.yml
new file mode 100644
index 00000000000..f2f866ef185
--- /dev/null
+++ b/detection-rules/attachment_html_with_long_timeout.yml
@@ -0,0 +1,27 @@
+name: "Attachment: HTML file with abnormally long timeout"
+description: "Detects inbound messages containing HTML attachments that use abnormally long setTimeout functions as a potential sandbox evasion technique."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml")
+            or .file_type == "html"
+          )
+          and regex.icontains(file.parse_html(.).raw,
+                              'setTimeout\(\(\) =>.*?\d{4}\);'
+          )
+  )
+  and not headers.return_path.domain.root_domain == "phriendlyphishing.com"
+attack_types:
+  - "Malware/Ransomware"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "File analysis"
+  - "HTML analysis"
+  - "Header analysis"
+id: "dc11f4fe-480f-5136-b02d-c69c5a65f85e"