This detection rule identifies potentially malicious PDF attachments that have been crafted for phishing attempts. Specifically, it looks for PDF files attached to emails that include the recipient's domain in the filename and also contain a link that is personalized with the recipient's email address. The rule enforces that there is only one recipient and one PDF attachment in the email. It performs a detailed analysis of any links found within the PDF, ensuring that the link includes the recipient's email either directly within the URL or encoded in base64. Additionally, it checks for QR codes in the attachment that may also contain the email address. Through various checks, including filtering out links that start with 'mailto' or 'email:', the rule aims to highlight potentially harmful attempts at credential phishing that exploit personalized links in PDF documents. As these types of attacks can have significant repercussions for individuals and organizations, the severity of the detection is set to high.