This threat detection rule identifies potentially malicious messages that contain HTML attachments with embedded QR codes. Specifically, it targets messages with one to two attachments while inspecting all HTML files (.html, .htm, etc.) and others with unknown file types or certain archive formats. The rule utilizes various detection mechanisms, including Computer Vision for QR code analysis, header and URL analysis, to determine if any URLs associated with the QR codes may lead to suspicious domains. To reduce false positives, the rule excludes messages from highly trusted sender domains unless those emails fail DMARC authentication. Additionally, it checks the sender's profile to ensure the message wasn't solicited and to filter out known false positives. This rule is critical as it aims to mitigate the risks associated with credential phishing through QR code vulnerabilities, enhancing email security protocols.