diff --git a/detection-rules/attachment_embedded_pdf_icon.yml b/detection-rules/attachment_embedded_pdf_icon.yml
new file mode 100644
index 00000000000..cf19626293d
--- /dev/null
+++ b/detection-rules/attachment_embedded_pdf_icon.yml
@@ -0,0 +1,20 @@
+name: "Attachment: Embedded PDF icon with inline image reference"
+description: "Detects messages containing HTML with PDF icons that reference inline images using Content-ID (CID) patterns, commonly used to create misleading PDF attachment appearances without actual PDF files."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(html.xpath(body.html, '//img').nodes) == 1
+  and any(html.xpath(body.html, '//img[@alt="PDF"]').nodes,
+          regex.contains(.raw, 'src="cid:image[0-9]{3}\.png@')
+  )
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Image as content"
+detection_methods:
+  - "HTML analysis"
+  - "Content analysis"
+id: "118751f2-9ce2-5a04-9c7d-d42c32d504fb"