This detection rule focuses on identifying phishing attempts embedded within image attachments or PDF documents that contain QR codes. The rule operates by analyzing various attributes of the incoming emails and their attachments. It checks whether any attached files are of image types or PDFs, then extracts any QR codes from those files. Each extracted QR code is examined to determine if it contains a URL, which is then subjected to a link analysis to ascertain its phishing disposition. Specifically, if the link analysis indicates that the URL is marked as phishing, and the root domain of the URL is not one of the organization's trusted domains, the rule flags the message as malicious. The detection also incorporates additional checks, such as sender profile analysis, ensuring that whether the sender has a history of sending benign messages is taken into account, and negatively filtering highly trusted domains if they fail DMARC checks. Additionally, the rule will assess if the sender's email has any history of benign messages to reinforce the risk assessment of the content being analyzed. This multi-faceted approach, blending content analysis, sender verification, and URL scrutiny, facilitates comprehensive detection of potential phishing threats through QR codes in attachments.