Detects inbound messages containing PDF attachments where the EXIF metadata indicates the author or creator is 'Shelby Porter'. The rule triggers when an inbound artifact (such as an email) includes at least one PDF file and any such PDF has EXIF author or creator set to 'Shelby Porter'. It uses file analysis and EXIF extraction (beta.parse_exif) to inspect the attachment metadata, raising an alert for potential credential phishing that relies on manipulated or misattributed PDF metadata. This aids response by flagging suspicious attachments in inbound messages. Be aware of possible false positives if legitimate PDFs are authored by Shelby Porter or contain benign EXIF data; consider correlating with additional signals for confirmation. The rule is aligned with Credential Phishing and targets PDF-related techniques.