This detection rule identifies potentially malicious PDF attachments that are password-protected and contain specific indicators of being fake documents, which have been observed in prior instances. It specifically looks for attachments where the file type matches PDF and applies YARA signatures that have previously flagged similar content. The detection process utilizes both file analysis and Exif data analysis to extract relevant metadata from the attachment, confirming its password protection status. The rule's effectiveness is predicated on the presence of exactly one PDF attachment in inbound communications that meets the predefined criteria of containing the YARA signatures. This rule is crucial for mitigating risks associated with malware/ransomware and credential phishing attacks, which commonly utilize deceptive document attachments to compromise systems and capture sensitive information.