Updating rule: attachment_microsoft_image_lure_qr_code.yml (#812)

Co-authored-by: Sam Scholten <[email protected]>

detection-rules/attachment_microsoft_image_lure_qr_code.yml

@@ -7,13 +7,18 @@ source: |
   type.inbound
   and (
     any(attachments,
-        .file_type in $file_types_images
+        (.file_type in $file_types_images or .file_type == "pdf")
         and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
     )
     or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
+    or (any(attachments, .file_type in~ $file_extensions_macros))
   )
   and any(attachments,
-          .file_type in $file_types_images
+          (
+            .file_type in $file_types_images
+            or .file_type == "pdf"
+            or .file_type in $file_extensions_macros
+          )
           and (
             any(file.explode(.),
                 regex.icontains(.scan.ocr.raw, 'scan|camera')
@@ -72,6 +77,7 @@ attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
   - "Impersonation: Brand"
+  - "PDF"
   - "QR code"
   - "Social engineering"
 detection_methods: