This detection rule is designed to identify the presence of malicious domains listed by URLhaus within the body of messages or in PDF attachments. The rule leverages the input from trusted reporters to filter out known good domains, thereby minimizing false positives associated with legitimate links. The detection logic focuses on examining both message bodies and PDF file contents, looking for any URLs matching domains that are present in the list of malicious domains from URLhaus, while also ensuring that these domains do not appear on whitelist domains like Google's file storage or large known domains like those in the Tranco and Umbrella lists. This helps in isolating potentially harmful links typically associated with phishing and malware attacks, such as embedded URLs in emails and documents that entice users to download malicious content or provide sensitive information.