diff --git a/detection-rules/attachment_encrypted_pdf_cred_theft.yml b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
index 08ef824fc0c..7e4d362e266 100644
--- a/detection-rules/attachment_encrypted_pdf_cred_theft.yml
+++ b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
@@ -23,6 +23,25 @@ source: |
     or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
            .name == "cred_theft" and .confidence in ("medium", "high")
     )
+    or (
+      (
+        regex.icontains(body.current_thread.text,
+                        'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
+        )
+        or ( 
+          (
+            length(body.current_thread.text) <= 10
+            or (body.current_thread.text is null)
+          )
+          and any(body.previous_threads,
+                  regex.icontains(.text,
+                                  'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
+
+                  )
+          )
+        )
+      )
+    )
   )
   and (
     (