This rule detects inbound messages that contain a hyperlink which is presented as a PDF but actually resolves to an HTML page. It triggers when any link in the current thread’s body has an href URL path ending with ".pdf" followed by optional characters and ending with ".html". Attackers use this evasion tactic to bypass filters that target PDF extensions and to lure recipients into clicking a link under the impression they will access a legitimate PDF document. The rule combines URL analysis and content analysis to identify suspicious link patterns in inbound messages, supporting both credential phishing and malware/ransomware campaigns. By flagging such disguised links, it helps prevent user compromise from deceptive PDFs that load HTML pages or hosting sites that may deliver drive-by downloads or credential collection pages.