Detects inbound PDF attachments that contain a specific PDF object hash (8638ef6bfe382a927aa12a18f2150757) associated with encrypted PDFs used in credential phishing. The rule triggers when an inbound event includes an attachment with file_type set to pdf, and the PDF content is exploded and scanned for the pdf_obj_hash object. If the hash matches the known value, the rule flags the event with medium severity. This hash is linked to evasive PDFs that may leverage encryption/obfuscation and a blue file icon lure to entice users into credential theft. The detection relies on file analysis of the attachment (PDF parsing and object hash extraction) to identify the malicious payload within the document. Tactics/Techniques include PDF manipulation and evasion; the rule aligns with phishing-related activity under Malware/Ransomware-oriented detections, aiming to surface stealthy payloads embedded in PDFs before user interaction.