Detects inbound messages containing a PDF attachment and triggers when a top-level (depth 0) file object within the attachment is scanned for a YARA match with the signature name pdf_cve_2026_34621_observed_lures. This rule targets observed lure activity associated with CVE-2026-34621 in PDFs. It relies on file analysis of attachments and YARA scanning to identify malicious PDFs designed as lures. The match is constrained to the top-level structure of the file to reduce noise from nested content. The rule is labeled high severity and aligns with Malware/Ransomware risk stemming from weaponized PDFs. Quick notes: it assumes YARA rules are loaded and the inbound processing pipeline can explode and inspect PDF file structures; it may miss deeply nested content or obfuscated variants if the YARA signature is not triggered, potentially yielding false negatives or, less commonly, false positives if legitimate PDFs inadvertently trigger the signature.