This detection rule identifies potential business email compromise (BEC) attacks by analyzing inbound messages for specific PDF attachments. The rule targets messages with exactly two PDF files, where one matches certain naming patterns related to invoices, and the second indicates the presence of a W-9 form. Furthermore, it checks if at least one of these PDFs was generated by common tools such as Chrome or wkhtmltopdf, which are often exploited in such attacks. The rule utilizes various string matching techniques and regular expressions to recognize typical invoice formats and keywords often associated with fraudulent activities. Additionally, it employs Optical Character Recognition (OCR) to scan the textual content of the PDFs for known phrases indicative of scams. An added layer of security is implemented to exclude legitimate emails from specific domains, enhancing the overall accuracy of the detection.