diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
index 7b024a35f89..8ad0f0d1947 100644
--- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml
+++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -7,13 +7,18 @@ source: |
   type.inbound
   and (
     any(attachments,
-        .file_type in $file_types_images
+        (.file_type in $file_types_images or .file_type == "pdf")
         and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
     )
     or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
+    or (any(attachments, .file_type in~ $file_extensions_macros))
   )
   and any(attachments,
-          .file_type in $file_types_images
+          (
+            .file_type in $file_types_images
+            or .file_type == "pdf"
+            or .file_type in $file_extensions_macros
+          )
           and (
             any(file.explode(.),
                 regex.icontains(.scan.ocr.raw, 'scan|camera')
@@ -72,6 +77,7 @@ attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
   - "Impersonation: Brand"
+  - "PDF"
   - "QR code"
   - "Social engineering"
 detection_methods: