This rule targets inbound attachments that are PDF files and uses YARA-based signatures to detect fake invoice PDFs designed for phishing. It evaluates inbound events and filters for attachments with file_type "pdf". For each file, it traverses the file’s content and checks YARA matches, specifically looking for signatures named fake_invoice_pdf_structure_01 or fake_invoice_pdf_images_01. A match indicates a detected artifact associated with fraudulent invoices, triggering a medium-severity alert. The rule aligns with attack types Malware/Ransomware and Credential Phishing, and its tactics include PDF usage and social engineering. Detection methods combine Content analysis, File analysis, and YARA scanning. This detection helps identify crafted PDF invoices that attempt to deceive recipients into clicking links or supplying credentials, leveraging believable invoice structure or embedded images to persuade trust. False positives could occur if legitimate PDFs share similar structures or images, so corroborating signals (e.g., sender context, link destinations) may be warranted in environments with legitimate invoicing traffic.