diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml
index 70a5f553c6b..cdae99e81c3 100644
--- a/detection-rules/link_qr_code_suspicious_language_fts.yml
+++ b/detection-rules/link_qr_code_suspicious_language_fts.yml
@@ -11,7 +11,7 @@ source: |
   // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
   // and length(attachments) < 10
   and any(attachments,
-          .file_type in $file_types_images
+          (.file_type in $file_types_images or .file_type == "pdf")
           and any(file.explode(.),
                   .scan.qr.type == "url"