This detection rule targets fraudulent email attachments masquerading as legitimate documents from U.S. government entities, particularly Requests for Proposals (RFP) or Requests for Quotations (RFQ). The rule evaluates incoming emails that have one attachment, checking specific criteria: 1. The attachment must be either a PDF file or conform to certain file extensions relevant to document types. 2. The email's body should contain references to government departments or offices. 3. The subject line must include keywords associated with RFP/RFQ requests. 4. The sender's domain must contain 'gov' to indicate a government source. 5. Sentiment analysis is conducted on the email content using natural language understanding classifiers to evaluate potential fraudulent intent, specifically looking for terms like "purchase_order" and other related keywords. Additionally, if the attachment is analyzed with OCR, it should reveal similar linguistic patterns relating to government departments.