This detection rule identifies email messages that mimic legitimate scan-to-email communications but are designed for credential theft. Specifically, it analyzes the content of the email body and any attached PDF files to check for specific phrases that indicate it may not be genuine. The rule leverages multiple checks on the body text, ensuring that at least three of various keywords related to scan operations or devices are present. It also examines PDF attachments for specific properties, including security features like encryption, and checks for potentially malicious or fraudulent content using machine learning classifiers. Additionally, the sender's email domain is compared against known organizational domains to flag any messages from unrecognized sources. Efficacy is further reinforced by profiling the sender for previous spam or malicious activity.