This rule flags inbound emails or network traffic that include a PDF attachment containing the exact PDF coordinate string '/Rect [ 249.75 560 407.25 599.75 ]' within the document content. The presence of this rectangle pattern may indicate a templated or malicious document structure commonly used in credential phishing campaigns. Detection filters inbound content for PDF attachments, expands the file to access internal strings, and searches for the specific '/Rect' string. If matched, the rule triggers a medium-severity alert for Credential Phishing, employing PDF/content analysis techniques. Note that legitimate templated PDFs could also contain similar coordinates; additional context indicators can help reduce false positives.