Technical summary: This inbound rule detects a specific phishing vector where attackers attach a PDF document that mimics Canada Revenue Agency communications. It inspects inbound payloads, filters for attachments with file_type equal to pdf, enumerates the PDF's embedded objects, and compares the PDF object's hash (scan.pdf_obj_hash.object_hash) to the known hash cf509abbdc5aa6b1b759a216e3e570cf. A match indicates the presence of the associated fake CRA document variant, triggering a detection with medium severity. Detection relies on file analysis to extract the PDF object hash and threat intelligence to corroborate the hash. The rule maps to Credential Phishing and Malware/Ransomware campaigns, with PDF usage and evasion as techniques. This rule helps block or alert on this known malicious artifact and supports incident response by providing a hash-based indicator of compromise.