This detection rule identifies potentially malicious email messages that contain duplicate PDF attachments. The primary criteria for triggering this rule are that there must be more than one inbound attachment, all of which must be PDF files. The rule is designed to identify duplicate attachments either by filename or by MD5 hash value, indicating that two or more identical PDFs were included in the message. Furthermore, for the attachments to be flagged, the PDFs must not contain any readable text and must not have hyperlinks, as these characteristics are often associated with decoy files used in phishing attempts. The detection employs file analysis techniques along with Optical Character Recognition (OCR) to assess the attachments. By contrasting filenames and hash values, the rule aims to catch evasion tactics used in credential phishing campaigns where attackers use decoy documents to lure victims.