This detection rule identifies inbound messages that contain attachments such as images or documents which have embedded QR codes containing sensitive user information like usernames and passwords. The rule leverages image and document analysis to find QR codes that may circumvent conventional text-based detection systems. Specifically, it checks attachments of specified file types—such as images, documents, or PDFs—examining any QR codes within them for embedded user information. If a QR code URL is found to contain a username or password, or has excessively padded URLs which may signify an attempt to obfuscate malicious intent, the rule flags these messages. Additionally, it incorporates checks to ensure that the domain of the QR code doesn't match the sending domain, thus helping to identify potential phishing attempts. False positives are minimized by cross-referencing sender profiles to avoid flagging unsolicited or non-malicious communications.