This detection rule is aimed at identifying suspicious QR codes embedded in EML file attachments, which may link to URLs exhibiting known patterns often associated with credential phishing attacks. The rule specifically examines the structure of the URL, looking for certain alphanumeric combinations in the subdomains and paths that are indicative of evasion tactics. It also checks if the URLs contain specific encoded terminators and may encode the recipient's email addresses as part of the URL, which highlights a targeted approach to credential theft. The rule uses multiple criteria such as file type analysis, QR code inspection, and regex matching to evaluate the URL structure and ensure that it matches defined patterns. The severity of the rule is classified as high due to the potential for these URLs to facilitate phishing attempts that can compromise user credentials.