This detection rule aims to identify PDF attachments that contain SharePoint URLs pointing to a user's personal Microsoft OneNote. It employs a combination of inbound message filtering and content analysis to validate whether the attachments, specifically PDFs, are referencing URLs that match the pattern associated with OneNote documents linked to the sender's email account. The rule captures PDF attachments in incoming messages where at least one of the attachments contains a URL that either directly personalizes OneNote access or directs to a general OneNote personal path. The use of 'Credential Phishing' indicates that this rule is tailored to prevent scenarios where attackers might try to misuse OneNote for illicit data access via misleading PDF attachments.