This detection rule aims to identify malicious activities involving email attachments that utilize QR codes to facilitate targeted credential phishing attacks. Specifically, it focuses on detecting instances where an image or macro attachment contains QR codes leading to URLs encoded with the recipient's email address. Such tactics enable attackers to craft personalized phishing pages and track engagement based on specific recipient interactions. The rule implements multiple checks, including an analysis of the incoming emails' subjects and sender credentials to raise alerts for suspicious patterns, especially when high-confidence credential theft intentions are detected. The presence of certain file types, such as images, macros, or PDFs, is evaluated, with additional scrutiny on the base64-encoded content of the QR codes to ensure they point to URLs that are inappropriately linked to the recipient's email domain. The rule has been structured to avoid false positives by incorporating checks against senders' historical profiles, ensuring that flagged cases are genuinely suspicious.