There are three parts to the email filtering process: sender filters, message content filters, and attachment filters. Then there are defense-in-depth strategies as well.
Messages from gmail are well authenticated, so you know that the purported user and the actual user are the same.
- Block the source email address
I am amazed at how little spam comes from gmail. They must be really good at using their data collection tools to catch and block problem accounts.
Message content Filters:
Not applicable given the data you have supplied. But if this particular attack uses a come-on like "Special Offer", you could write a filter rule which is specific to this attack.
What constitutes a malicious attachment? This is an inherently difficult problem.
If the attachment can contain macros or scripts, the answer is as complex as the imagination of the script developer. Detecting a malicious script requires detailed knowledge of the file structure and sophisticated interpretation of the code. Reliability is not likely.
Consequently, the approaches that I have seen include:
Block attachments based on file extension.
Block attachments based on MIME type..
Block Office documents with embedded macros.
In this case, your ideal rule is probably to quarantine messages with PDF attachments coming from gmail, which will require manual labor to manage the quarantine.
Woefully many spam filters are unable to do multi-attribute filters. If you cannot write a rule that selects on both source (gmail.com) and attachment type (PDF), you should look for one that can (which is how I ended up using Declude).
Defense in depth
A lot of email attacks use malicious web links, and some attachment attacks will trigger web downloads as well. Every organization needs a good web filter.
User education. Remind people continuously to reject messages from unrecognized sources.
There is no one spam solution that can perfectly detect and block every threat that can be created by human ingenuity applied to evil purposes, and do so without blocking wanted messages as well.