This detection rule identifies potential sextortion attempts executed through emails containing PDF attachments. These attempts often make use of breached personal information such as names, addresses, and phone numbers, sourced from free email providers. The rule specifically looks for attachments where the filename matches the email's subject, indicating a potential direct relationship between the claim in the email and the provided document. Additionally, it searches for specific patterns in the email body that include U.S. or Canadian addresses, which could bolster the sense of legitimacy and urgency for the targets. A critical aspect of this detection is the checking of PDF attachments that contain images, particularly QR codes which might point to Bitcoin addresses, as these are often used in extortion attempts. The rule aims to catch these malicious activities by examining the characteristics of the emails, their attachments, and the embedded images to assess the likelihood of a sextortion strategy being employed.