diff --git a/detection-rules/link_concatenated_display_text_pdf_reference.yml b/detection-rules/link_concatenated_display_text_pdf_reference.yml
new file mode 100644
index 00000000000..522492240f6
--- /dev/null
+++ b/detection-rules/link_concatenated_display_text_pdf_reference.yml
@@ -0,0 +1,22 @@
+name: "Link: Concatenated display text concealing duplicate URLs with PDF reference"
+description: "Detects messages where two identical links are displayed as a single continuous text string, with the second link containing 'PDF' in its display text. This technique can be used to obscure the true nature of links by making them appear as legitimate document references."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and strings.contains(body.current_thread.text,
+                       strings.concat(body.current_thread.links[0].display_text,
+                                      body.current_thread.links[1].display_text
+                       )
+  )
+  and body.current_thread.links[0].href_url.url == body.current_thread.links[1].href_url.url
+  and strings.icontains(body.current_thread.links[1].display_text, 'pdf')
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"
+id: "4cb86869-bb02-5903-bb7b-3cc2f88eb207"