This detection rule identifies phishing attempts that impersonate the Social Security Administration (SSA), specifically targeting users with fraudulent PDFs containing deceptive language. The rule checks for inbound emails with certain characteristics indicative of phishing such as a solitary PDF attachment, verification of the sender's domain against known free email providers, and specific text content within the attachment. The attachment must contain at least one page and demonstrate significant exploited Optical Character Recognition (OCR) output, showing a fraudulent context. Notably, it scans for at least four critical phrases related to SSA fraud or illicit activity, and it checks for the presence of a callback number formatted in common ways. The inclusion criteria also ensure that the sender has a history of malicious behavior or has not been marked as a false positive, enhancing the reliability of the detection.