diff --git a/detection-rules/link_microsoft_html_generator.yml b/detection-rules/link_microsoft_html_generator.yml
new file mode 100644
index 00000000000..760a1aae3e8
--- /dev/null
+++ b/detection-rules/link_microsoft_html_generator.yml
@@ -0,0 +1,34 @@
+name: "Link: Microsoft HTML generator with recipient targeting"
+description: "Detects messages with HTML content generated by Microsoft tools (MSHTML) or specific CSS styling patterns, where links contain the recipient's email address in URL parameters, paths, or fragments. This targeting technique is commonly used to personalize malicious content and bypass security filters."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    length(html.xpath(body.html,
+                      "//div[contains(@style, 'ORPHANS: 2;') and contains(@style, 'WIDOWS: 2;')]"
+           ).nodes
+    ) == 2
+    or length(html.xpath(body.html,
+                         "//meta[@name='GENERATOR' and contains(@content, 'MSHTML')]"
+              ).nodes
+    ) == 1
+  )
+  and (
+    any(recipients.to,
+        any(body.links, ..email.email in .href_url.query_params_decoded["eta"])
+        or any(body.links, strings.icontains(.href_url.path, ..email.email))
+        or any(body.links, .href_url.fragment == ..email.email)
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "HTML analysis"
+  - "Content analysis"
+  - "URL analysis"
+id: "09d596e0-47eb-5403-9f1e-784474396a15"