This detection rule aims to prevent credential phishing attacks involving messages with attachments containing QR codes. It identifies messages with 1 to 3 attachments that exhibit typical signs of credential theft. The rule checks for suspicious indicators such as: concluding from LinkAnalysis that a credential phishing attempt is likely, decoding the QR codes to reveal URLs that traverse dubious infrastructure, and identifying final destinations known to be associated with phishing. The analysis also involves filtering based on file types and checking if images are present that contain QR codes by leveraging various scrutiny methods including header analysis, natural language processing, and direct URL scrutiny. The rule applies a wide range of conditions to validate against previous sender habits, examine message content, and authenticate sender domains to maximize phishing detection efficacy. Additionally, it takes into account the reputation of the sender using DMARC checks and evaluates content through image processing to flag malicious activity efficiently.