This detection rule identifies email messages containing a single PDF attachment where the filename is embedded with a numeric password that is also mentioned in the body of the email. The rule operates by first filtering inbound messages to check for exactly one PDF attachment. It then applies a regular expression to search for a password within the body text. If a password is detected, it checks if the PDF filename contains that specific password as defined by the regex capture. This type of detection can be crucial in identifying potential phishing attempts, particularly those that leverage PDF files to deliver sensitive information or malware. By correlating the presence of a numeric password in both the body and filename, this detection aids in preventing credential theft or malware delivery disguised as legitimate attachments.