This rule detects credential phishing attempts delivered as a single-page PDF attachment in inbound emails. It requires exactly one PDF attachment whose filename contains typical proposal-related terms (proposal, bid, document, rf/pq). The PDF must be single-page (via EXIF page_count). OCR is run on the PDF text and fed to an NLU classifier to identify a cred_theft intent. The OCR text must be present, under 2000 characters, and the OCR process must succeed. The rule then analyzes the root-level URL(s) in the PDF, enforcing exactly one URL that is not from commonly trusted PDF producers or known safe domains and not a mailto link. Finally, the sender’s domain must not be a high-trust domain with a successful DMARC pass (otherwise the alert is suppressed). The rule classifies the activity as Credential Phishing, uses PDF/Social Engineering/Evasion techniques, and employs File analysis, NLP/NLU, OCR, and URL analysis to detect the threat.