This detection rule targets messages that contain QR codes in their attachments, especially when certain suspicious conditions are met. It activates when a message has three or fewer attachments, or none at all; in the latter case, it captures a screenshot of the message for further inspection. The rule further stipulates that a QR code must exhibit certain suspicious characteristics, such as being improperly formatted or originating from questionable sources. The sender's display name or email should not match the recipient's expected domain, which raises additional flags. Messages with certain subjects that include alarming terms such as 'authentication', 'suspicious activity', or 'required' will also trigger the detection. Furthermore, if the QR code leads to domains known for phishing or if a new or outlier sender profile is detected, the rule will classify the message as a high-severity security threat.