This detection rule identifies potential credential phishing attempts that utilize ClickFunnels tracking links without proper authentication. Specifically, it targets emails that contain links to the 'myclickfunnels.com' domain but do not originate from sanctioned ClickFunnels sources. Indicators of compromise include emails with a limited number of links or attachments, as well as images or PDFs containing QR codes linking to identified domains. The rule applies further scrutiny to metadata from any attached files, excluding legitimate replies or emails originating from trusted domains unless they fail DMARC checks. This layered approach ensures that both content and header analyses contribute to the overall detection of malicious activities, focusing on atypical sender profiles and suspicious link usage in the context of email communication.