Detects inbound email PDF attachments that are likely part of a targeted financial document spoofing attempt (BEC). The rule filters attachments where file_type is pdf and the file_name starts with ATT and contains eCheckRun, while also including the recipient's domain (recipients.to[0].email.domain.sld) in the filename. This combination suggests a crafted lure aimed at a specific recipient using a faux financial document (ATT... eCheckRun) named to resemble legitimate correspondence. Detection relies on file analysis (attachment properties) and content analysis (filename patterns and recipient domain).