Detects inbound emails with PDF attachments that include a QR code embedding the recipient's email address (plaintext or base64) within a credential-theft URL, paired with credential-theft language identified via NLP. The rule analyzes the PDF for text indicating credential theft, then scans embedded QR codes for URLs containing the target's email (or base64-encoded email). This personalization increases credibility and potential for credential phishing. Detection relies on file analysis of PDFs, NLP-based intent detection for credential theft, and QR-code analysis to extract and inspect URLs. The rule triggers when a QR code is present, the QR URL domain is valid, and the recipient’s email appears in the URL (directly or base64-encoded).