This rule detects inbound PDF attachments that contain embedded SAI Global ISO9001 logos via a YARA-based check. It searches PDFs (via attachment: inbound, file_type pdf) and traverses the file content (file.explode(.)) to identify embedded images that match the YARA rule name SAI_Global_ISO9001_Logo_PDF_Fuzzy, which allows for resized variants. A match indicates potential brand impersonation or fraudulent certification claims, often used to facilitate credential phishing. The detection is triggered by inbound attachments and leverages file analysis and YARA scanning. It is marked high severity and should be correlated with sender reputation and email context to reduce false positives. Attacks typically rely on appearing trustworthy through recognizable branding to induce recipients to disclose credentials or perform actions prompted by the document.