This detection rule identifies messages that contain a single link with display text ending in '.pdf' related to financial terms, and that redirect to free file hosting services. The primary criteria include that the message must not contain previous threads and should not have any PDF attachments. The presence of the link must be the only instance pointing to a free file hosting domain, and there should be no more than three distinct domains in the message. Additionally, the display text must show signs of fraudulent financial communication, such as keywords related to payments or invoices, and should not involve common link obfuscation tactics using Google icons in a bounding box. This rule is particularly focused on detecting credential phishing attacks using social engineering techniques to lure individuals into clicking harmful links.