This rule detects inbound PDF attachments that impersonate well-known energy and industrial brands by using OCR to extract text from the document and match it against brand names, addresses, and procurement-related phrases embedded in fraudulent templates. It targets procurement-related fraud (fake purchase orders, RFQs, supply chain solicitations) by looking for branded cues and common PO/RFQ language (e.g., This is not a Purchase Order, INVITATION TO TENDER, SUPPLY CHAIN MANAGEMENT) across multiple brand signatures (Neste, TotalEnergies, Vattenfall, MOL Group, Unilever, Shell, Waldinger, Novo Nordisk). The rule combines multiple brand-specific signature blocks with keywords to detect credential or invoice-based social engineering attempts delivered via PDF attachments. It relies on OCR (beta feature), file analysis, and content analysis to identify suspicious content. Triggered as BEC/Fraud with impersonation, PDF usage, and image-as-content tactics, it enforces high-severity detection for inbound delivery of fraudulent procurement documents aimed at deceiving recipients into actions or payments.