This detection rule aims to identify potentially malicious QR codes embedded within attachments such as Office documents, PDFs, or images. It specifically targets QR codes that contain indications of recipient targeting through email addresses, either in plaintext or base64 encoded formats, combined with URLs that redirect users through common phishing frameworks like Kratos or SneakyLog. The rule employs various detection methods, including file and archive analysis as well as QR code analysis, to ascertain the presence of these malicious indicators. When analyzing attachments, the rule checks for valid file extensions, extracts QR codes, and scans the URLs for patterns indicative of phishing attacks. Attention is given to the structure of URLs to ensure they align with known phishing tactics, particularly those that employ deceptive redirection techniques. The severity of this rule is categorized as high due to the potential risk of credential theft through these phishing schemes.