This rule detects inbound email messages that target a single recipient and include a PDF attachment containing high-confidence credential-theft language tailored to the recipient. It requires: (1) exactly one recipient with a valid recipient domain, (2) a PDF attachment whose content is extracted and analyzed via an NLP/NLU classifier to identify an intent named cred_theft with high confidence, and (3) the extracted text contains the recipient's own email address, indicating a targeted lure. The rule also flags an invalid reply-to header, defined as a reply-to entry with an empty email address, which is a spoofing signal. A DMARC-based trust gate is applied: messages from domains in a predefined high-trust list are excluded unless DMARC authentication fails or DMARC is missing. Detection methods include: file analysis (PDF content extraction and string matching), header analysis (invalid reply-to), NLP-based content analysis (cred_theft intent), and general content analysis to corroborate the recipient address appearance. This combination aims to detect credential phishing attempts that use PDF attachments and spoofed or misconfigured headers while minimizing false positives from highly trusted senders when DMARC is properly configured.