High-severity inbound rule that flags PDF attachments matching a narrow phishing pattern. It targets single-page PDFs (page_count == 1) with exactly one embedded URL and content that includes explicit suspicious prompts commonly used to entice credential theft (e.g., View Document, Open Secure Document, DocuSign-related phrasing, or other document-access language). The detector analyzes the PDF text (scan.strings.strings) for a long list of exact or regex-based phrases, and requires that only a single URL is present (length(.scan.url.urls) == 1). If the PDF contains any of the targeted strings and a lone URL, the rule triggers as Credential Phishing. The rule also accounts for edge cases by including alternate patterns such as generic error messages that mention viewing a video, minimal content with a single line and a URL, or DocuSign-type prompts. Detection relies on content analysis (text/value extraction), file analysis (PDF properties like page count), URL analysis (one URL constraint), and EXIF-like checks embedded in the scan. Intended deployment is in inbound channels such as email gateways or gateway/endpoint monitoring to intercept credential-stealing attempts before users interact with the document.