This rule detects a specific tactic used in credential phishing attacks involving PDF files generated by Soda PDF, which allows users to produce PDFs through a free trial. The detection is triggered when an inbound file attachment with a .pdf extension is analyzed, particularly if it uses Soda PDF as its producer. The rule also checks the OCR (Optical Character Recognition) output of the PDF for references to encryption themes, such as indications that the PDF has been encrypted or is secured. Additionally, the OCR must mention the term "PDF". If all these conditions are met, this rule flags the file for potential credential phishing as it is associated with a known phishing tactic. The severity is marked as high due to the risk posed by the credential phishing method and its potential to compromise user accounts.