This rule is designed to detect malicious PDF attachments in inbound communications. It focuses specifically on PDFs that contain a single link potentially leading to pages attempting to manipulate users into engaging with business-related documents such as bids, proposals, agreements, or contracts through action-oriented language. The rule incorporates several conditions to establish the detection criteria: it checks that the attachment is a PDF with only one page and a single valid URL that does not have a 'mailto:' or 'email:' type link. The internal algorithms analyze web links to ensure they lead to external domains that are not inherently trusted and evaluate the overall content displayed in the link content's title and status code responses. Links suggesting the user to view, read, or review sensitive content trigger alerts for possible credential phishing attacks. The rule aims to catch social engineering techniques employed via PDF files, aligning with the tactics and techniques shared by threat actors, particularly those leveraging PDFs.