This detection rule focuses on identifying PDF attachments that link to potentially malicious DMG files. The primary objective of the rule is to flag any PDF that contains URLs leading to DMG files, a ZIP archive with a DMG file inside, or an encrypted ZIP containing a DMG file. The detection method utilizes various techniques, such as analyzing URLs within the attachment, inspecting the content of files that are downloaded (related to the URLs), and checking for any malicious attributes associated with the sender's profile. It is particularly relevant due to the recent emergence of the MetaStealer malware, which specifically targets macOS users via such delivery mechanisms. By utilizing string matching and link analysis, the rule also looks for specific characteristics indicative of malicious intent, ensuring that potentially harmful attachments are flagged for further scrutiny. This rule is categorized under medium severity because while PDF attachments linked to DMG files pose a real threat, false positives can occur if legitimate files are processed incorrectly.