This rule is designed to detect phishing attacks targeting users through fraudulent emails containing a PDF file that leads to a fake Bitcoin exchange. The detection logic focuses on specific characteristics of the such emails, particularly those sent from free email providers. It checks that exactly one attachment of type PDF is included and that its filename references Bitcoin in a numerical format (for example, mentioning amounts in BTC). Additionally, the PDF's properties are examined using Exif analysis to ensure it has a sufficient page count and contains a single external link, which points to a potentially harmful URL. If all these conditions are met, it indicates a likely attempt at phishing or BEC (Business Email Compromise) that exploits social engineering tactics.