This detection rule identifies email messages that contain Decoy PDF attachments with specific characteristics associated with various malicious email campaigns. The rule looks for PDF files attached to inbound emails that do not exceed 250KB in size. It checks the file extension, ensuring that only PDFs are considered. Using EXIF data analysis, it looks for files that have been generated by DocFly, indicating their potential malicious nature. The rule correlates this with specific metadata such as the use of 'Adobe PDFMaker' as the creator tool, or identifies specific creators named 'Julie Peters' or 'Julie Pieters'. The rule also implements a safety mechanism to minimize false positives by ensuring that the email sender's profile does not indicate previous solicited messages or confirms malicious activity without prior reports of false positives.