Detects inbound single-page PDF attachments used as lure content related to bids/proposals (bid/RFP/RFQ/quotation) that include indicators of credential theft. The rule restricts to messages with exactly one attachment and PDFs with one page, leveraging multiple indicators across PDF URLs, OCR content, file names, subject lines, and message body. It requires at least two of the following: (1) bid/proposal phrases embedded in URL display text within the PDF, (2) bid-related terms in subject/sender name or body, (3) bid-related terms in the PDF file name, (4) OCR results showing credential theft intent or topics like Purchase Orders with high confidence, and (5) URLs within the PDF pointing to suspicious domains or hosts (including free file hosts, unusual TLDs, or known URL shorteners). The rule also considers the message body’s NLUs for credential theft signals. It flags PDFs with suspicious domains (self-service platforms, free hosts, shorteners, etc.), while excluding cases where all links point to Docusign or DotLoop and excluding solicited senders. It also excludes specific workflow robot traffic. The rule is aligned with BEC/Fraud and Credential Phishing threats, using PDF/content analysis, OCR, URL analysis, and natural language understanding to identify high-risk credential-theft scenarios.