This detection rule identifies potentially malicious emails containing encrypted PDF attachments that may be involved in credential theft activities. The rule verifies that an email contains PDFs that are either encrypted or have high entropy indicative of encryption. It inspects the email body for specific language patterns associated with credential theft, utilizing a natural language understanding classifier to assess the intent and confidence levels of the content. Additionally, the rule profiles the sender against known malicious patterns and checks for domain trustworthiness, negating detections from highly trusted sender domains unless they have failed DMARC authentication checks. The techniques employed include content analysis, Exif analysis, and sender profile scrutiny, making it effective against credential phishing and social engineering attempts.