This rule aims to detect suspicious email messages that include urgent legal language and contain a PDF attachment with potentially harmful links. The rule focuses on emails that exhibit characteristics typical of credential phishing attempts. It checks for certain criteria including the presence of legal and compliance-related topics, the relevance of urgency in the message, and specific attachment requirements. The detection process involves analyzing the HTML content of the email body for keywords associated with legal themes, while also ensuring that there are no prior reply references, which helps to eliminate responses to previous threads, common in benign communications. Furthermore, it limits the attachments to one or ensures that two attachments share similar names to evade detection protocols. The rule specifically targets PDFs, extracting URLs from these documents and analyzing them for indicators of suspiciousness like URL shorteners and uncommon top-level domains (TLDs). Ultimately, the rule employs comprehensive detection methods including content, file, header, and URL analysis, alongside natural language understanding for accurate identification of phishing threats.