Hi there,
to answer your question I would point you to one of the best regex sites to help you defining querys.
Check out : https://regex101.com/r/7C7YsR/1 to get some ideas.
I personally would create a content filter checking for two components :
textblock in subject : "sent you"
pdf as file attachment
The filter would be like:
CheckforBadPDFv1: if (body-contains("sent you", 1)) AND (attachment-filetype == "pdf")
{ quarantine("Policy"); }
I hope that helps, be aware that this might also catch valid messages shared from O365 with a PDF
-Marc