The rule identifies spam emails with a single malformed PDF attachment, which are often used in scams, particularly romance scams or links to adult content. The detection logic focuses on specific characteristics that are typical of such spam messages: these emails contain very brief body text, have exactly one attachment, and the attachment must present as a PDF but be detected as an unknown file type with high entropy. This type of PDF manipulation is employed to evade detection systems. Furthermore, the rule checks for the presence of hyperlinks to free email providers in the body that do not display meaningful text, as well as having multiple email recipients from free email domains, indicating a mass spam campaign. The email sender's profile is evaluated for prevalence, ensuring that the rule is targeting unsolicited messages whilst minimizing false positives, by verifying the sender's previous reputation.