From e44322587404183c6962e75c6993a72024516f8b Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Thu, 14 Aug 2025 17:32:13 -0700
Subject: [PATCH 1/3] Update attachment_encrypted_pdf_cred_theft.yml

---
 .../attachment_encrypted_pdf_cred_theft.yml    | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/detection-rules/attachment_encrypted_pdf_cred_theft.yml b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
index 08ef824fc0c..615876fae77 100644
--- a/detection-rules/attachment_encrypted_pdf_cred_theft.yml
+++ b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
@@ -23,6 +23,24 @@ source: |
     or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
            .name == "cred_theft" and .confidence in ("medium", "high")
     )
+    or (
+      (
+        regex.icontains(body.current_thread.text,
+                        'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
+        )
+        or ( 
+          (
+            length(body.current_thread.text) <= 10
+            or (body.current_thread.text is null)
+          )
+          and any(body.previous_threads,
+                  regex.icontains(.text,
+                                  'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
+                  )
+          )
+        )
+      )
+    )
   )
   and (
     (

From 78b9339ca832c8cac4485dbc6ce01eb8beab5090 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Fri, 15 Aug 2025 13:31:37 -0700
Subject: [PATCH 2/3] Update
 detection-rules/attachment_encrypted_pdf_cred_theft.yml

Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
---
 detection-rules/attachment_encrypted_pdf_cred_theft.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/attachment_encrypted_pdf_cred_theft.yml b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
index 615876fae77..3627c256a73 100644
--- a/detection-rules/attachment_encrypted_pdf_cred_theft.yml
+++ b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
@@ -26,7 +26,7 @@ source: |
     or (
       (
         regex.icontains(body.current_thread.text,
-                        'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
+                        'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
         )
         or ( 
           (

From d41fdf4553770d7c33d3756173b1be8744f08ee9 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Fri, 15 Aug 2025 13:31:44 -0700
Subject: [PATCH 3/3] Update
 detection-rules/attachment_encrypted_pdf_cred_theft.yml

Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
---
 detection-rules/attachment_encrypted_pdf_cred_theft.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/attachment_encrypted_pdf_cred_theft.yml b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
index 3627c256a73..7e4d362e266 100644
--- a/detection-rules/attachment_encrypted_pdf_cred_theft.yml
+++ b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
@@ -35,7 +35,8 @@ source: |
           )
           and any(body.previous_threads,
                   regex.icontains(.text,
-                                  'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
+                                  'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
+
                   )
           )
         )