This rule identifies self-sent email messages that contain deceptive PDF attachments with misleading links. It is designed to detect messages where a user sends an email to themselves that claims to have a PDF attachment but actually contains only images. The rule checks for specific patterns such as a fake PDF icon sourced from Google's CDN and suspicious links leading to free subdomain hosts. The rule enforces checks on the email body, including whether it mentions an attachment, checks the file types, and validates the sender and recipient email addresses to ensure they match. It pays particular attention to links that end with '.pdf' and are hosted on subdomains known for potential phishing attempts. The severity of this detection is classified as low, primarily because it leverages social engineering tactics that are often used in credential phishing attacks.