Detects inbound email attachments that are PDFs containing split QR codes positioned in close proximity to each other. The rule targets PDF attachments on inbound traffic and applies a file-explosion step followed by a YARA scan for a rule named Phishing_PDF_Split_QR_Code_Pair. It is designed to identify split QR codes sized 290x290, 300x300, or 370x370 that are placed near one another to evade conventional content screening while preserving QR code functionality for credential theft. A match triggers a medium-severity alert. Detection relies on file analysis of the attachment, YARA-based pattern matching, and subsequent QR code analysis to verify the presence and placement of the split QR codes. This rule complements other phishing detections by focusing on a covert QR-based credential exfiltration technique.