diff --git a/detection-rules/attachment_html_with_long_timeout.yml b/detection-rules/attachment_html_with_long_timeout.yml
new file mode 100644
index 00000000000..a4be2eb12fb
--- /dev/null
+++ b/detection-rules/attachment_html_with_long_timeout.yml
@@ -0,0 +1,18 @@
+name: "Attachment: HTML file with abnormally long timeout"
+description: "Detects inbound messages containing HTML attachments that use abnormally long setTimeout functions as a potential sandbox evasion technique."
+type: "rule"
+severity: "high"
+source: "type.inbound\nand any(attachments,\n        (\n          .file_extension in~ (\"html\", \"htm\", \"shtml\", \"dhtml\")\n          or .file_type == \"html\"\n        )\n        and \n\n          regex.icontains(file.parse_html(.).raw, 'setTimeout\\(\\(\\) =>.*?\\d{4}\\);')\n        )\n        and not headers.return_path.domain.root_domain == \"phriendlyphishing.com\"\n"
+attack_types:
+  - "Malware/Ransomware"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "File analysis"
+  - "HTML analysis"
+  - "Header analysis"
+id: "dc11f4fe-480f-5136-b02d-c69c5a65f85e"
+testing_pr: 2245
+testing_sha: 9074e47443025d2b7e54033022aada95fda854f5