This detection rule focuses on identifying potentially malicious email messages that mimic benign PDF filenames to deceive recipients into stealing credentials. The rule checks if the display text of the first link in the email resembles a PDF filename containing the sender's domain name, with the intent to lead to credential theft or suspicious requests. It also ensures that there are no actual PDF attachments present. The rule applies advanced text recognition techniques, including Levenshtein distance calculations and natural language understanding (NLU), to detect malicious intent. Furthermore, it flags emails directed to invalid recipients or to the sender themselves, indicating possible misuse of email infrastructure. The severity of the rule is set to medium, suggesting that such phishing attempts have moderate potential for impact but warrant careful consideration and monitoring.