This detection rule identifies Adobe branded PDF files that contain links to password-protected files hosted remotely, typically sent from untrusted sources. The technique being monitored is commonly exploited by various phishing and malware actors such as IcedID, Remcos, and Async Rat. The rule employs a multi-layered approach to detection, including checking the attachment type to ensure it is a PDF, leveraging Natural Language Understanding (NLU) to classify potential intents related to credential theft with high confidence, and performing string matching to identify mentions of 'password-protected' in the scanned text of the document. Additionally, it evaluates the sender's profile to determine if the message prevalence is new or outlier, or if the sender has a history of malicious or spam messages without false positives. By combining these methods, the rule aims to effectively flag potentially dangerous PDF attachments that could lead to credential theft or malware infection.