Technical summary: This rule detects inbound emails that carry DOCX attachments themed around compensation or benefits and containing QR codes that may direct recipients to credential theft pages. It activates when at least one DOCX attachment is present and the message body is short or contains disclaimers that should be ignored for length checks. The rule applies content-based indicators (filenames and metadata) for compensation-related terms, and uses NLP to detect credential-theft intent and suspicious topics (e.g., Benefit Enrollment, Financial Communications). It analyses the DOCX content via text extraction, OCR, and EXIF data to identify embedded cues, including QR codes that link to URLs or trigger credential collection. It also checks for recipient domain hints and potential redirections, and attempts to correlate OCR/QR findings with suspicious email recipients. The detection leverages multiple data sources (attachment files, OCR/text extraction, QR code analysis, and NLP classification) to identify credential-theft-themed lures embedded in compensation communications. It includes safeguards to reduce false positives by excluding highly trusted senders unless DMARC validation fails. The rule targets Credential Phishing tactics and leverages QR code, social engineering, and brand impersonation techniques as core detection signals.