This detection rule identifies PDF attachments that contain specific YARA signatures typically linked to fraudulent W9 tax forms or invoices. These forms are commonly exploited in business email compromise (BEC) attacks and credential phishing schemes, aiming to extract sensitive personal or financial information. The rule functions by analyzing inbound attachments where the file type is identified as PDF. It employs a combination of file analysis and YARA signature scanning to detect known patterns associated with W9 and invoice documents. The YARA signatures 'w9_pdf_01' and 'invoice_pdf_01' are specifically targeted for this purpose. A flag is raised whenever a match is found, indicating that the PDF may be part of a social engineering attack designed to deceive recipients into providing confidential data.