This rule detects inbound communications that include PDF attachments which are encrypted and contain indicators that match a specific YARA signature (pdf_encrypted_cred_phish_001) associated with credential harvesting activity. The detection triggers when an inbound data source contains an attachment with a PDF file type, and a nested analysis reveals a YARA match for the indicated rule. The intent is to identify attempts to exfiltrate or harvest credentials by distributing encrypted PDFs that hide malicious prompts or data, a technique often used to evade static analysis. Detection relies on file analysis coupled with YARA scanning to identify the encrypted-PDF/credential-phishing pattern. The rule is categorized as Medium severity and supports response actions such as alerting, blocking, or further inspection at endpoints or gateways handling inbound mail attachments. This rule complements other credential-phishing controls by targeting encrypted document delivery mechanisms often used in social engineering campaigns.