diff --git a/detection-rules/headers_mailer_contains_hidden_content.yml b/detection-rules/headers_mailer_contains_hidden_content.yml
new file mode 100644
index 00000000000..542962dd434
--- /dev/null
+++ b/detection-rules/headers_mailer_contains_hidden_content.yml
@@ -0,0 +1,28 @@
+name: "Headers: Microsoft CDO or PHPMailer with hidden HTML content"
+description: "Detects messages sent via Microsoft CDO for Windows 2000 or PHPMailer that contain HTML paragraph elements with transparent text or hidden content styling, commonly used to evade content analysis."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and (
+    headers.mailer == 'Microsoft CDO for Windows 2000'
+    or strings.ilike(headers.mailer, "PHPMailer*")
+  )
+  and any(html.xpath(body.html, '//p').nodes,
+          .display_text == ''
+          and .inner_text == ''
+          and regex.icontains(.raw,
+                              '[^-]color\s*:\s*transparent|mso-hide\s*:\s*all'
+          )
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "Spam"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "HTML analysis"
+id: "550f1cff-6203-543a-9aa4-54717148bca9"