diff --git a/detection-rules/link_pdf_display_mismatch.yml b/detection-rules/link_pdf_display_mismatch.yml
new file mode 100644
index 00000000000..873e98d9048
--- /dev/null
+++ b/detection-rules/link_pdf_display_mismatch.yml
@@ -0,0 +1,53 @@
+name: "Link: PDF display mismatch with business document social engineering"
+description: "Detects links that display as PDF files but actually point to HTML pages on low-reputation domains, combined with business proposal or document-related social engineering language in the subject or body from external senders."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  
+  // SECTION 1: Core PDF Display Mismatch Pattern (High Confidence Indicator)
+  and any(body.links,
+      // Link displays as PDF but points to HTML page
+      strings.ilike(.display_text, "*.pdf")
+      and strings.icontains(.href_url.url, ".html")
+      // Link domain is not reputable  
+      and .href_url.domain.root_domain not in $tranco_1m
+      // Domain completely unrelated to sender's organization
+      and .href_url.domain.root_domain != sender.email.domain.root_domain
+  )
+  
+  // SECTION 3: Business Document Social Engineering Context
+  and (
+    // Look for business proposal/document language
+    strings.ilike(body.html.display_text, 
+                 "*proposal*", "*RFP*", "*selected*", "*document*", 
+                 "*preview*", "*review*", "*architects*", "*invited*")
+    or strings.ilike(subject.subject, 
+                    "*proposal*", "*RFP*", "*document*", "*architects*")
+  )
+  
+  // SECTION 5: False Positive Reduction
+  and not (
+    // Not from organizational domains
+    sender.email.domain.root_domain in $org_domains
+    // Not from established legitimate senders
+    or profile.by_sender().any_messages_benign
+    // Not legitimate document sharing services
+    or any(body.links,
+           strings.ilike(.display_text, "*.pdf")
+           and .href_url.domain.root_domain in ("dropbox.com", "onedrive.live.com", "drive.google.com")
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "URL analysis"
+  - "Whois"
+id: "901c1dd0-d557-57cf-b520-a287ad6e8be7"