This rule detects inbound email messages that contain PDF attachments which match one of two YARA-based patterns intended to identify W-9 tax form lure activity used in business email compromise (BEC) campaigns. The condition requires an inbound type, a PDF attachment, and a file content scan that yields a YARA match with either the w9_c001_signatures or w9_c001_structure rule names. When triggered, the rule flags the event as high severity. Detection methods include YARA scanning, file analysis, and content analysis. The attack types and techniques focus on PDF-delivered social engineering and impersonation of brands to induce recipients to provide sensitive information (e.g., tax form data). The rule helps disrupt tax-related lure campaigns by identifying anomalous or signature-driven PDFs associated with W-9 fraud patterns embedded in inbound messages.