This rule is designed to identify malicious PDF attachments that are crafted to impersonate legitimate notifications from Microsoft Purview. The rule employs a multi-layered approach for detection, leveraging machine learning and natural language understanding (NLU) techniques to analyze the content of PDF files. When a user receives an inbound email, the detection first checks for PDF attachments. The NLU classifier is then utilized to gauge the content of these attachments, specifically looking for terms associated with secure message notifications from Microsoft Purview with high confidence. Furthermore, it incorporates sender validation by checking against a list of high-trust sender domains; specifically, it negates highly trusted sender domains unless they fail DMARC authentication, thus preventing false positives. This combination of techniques helps to effectively counteract phishing attempts that leverage brand impersonation and social engineering tactics, thereby protecting users from potential credential theft and data breaches.