This detection rule identifies inbound messages that are potentially malicious, specifically targeting employees with phishing attempts disguised as legitimate documents related to policy updates, payroll, and employee evaluations. The rule focuses on email subjects and attachments that contain specific keywords commonly associated with salary and benefit discussions, such as 'salary', 'bonus', 'review', and 'evaluation'. It restricts attachment types to Microsoft Word documents (.doc, .docx, .docm), ensuring they are aligned with the pattern of credential phishing. These phishing attempts are often executed by embedding QR codes within the documents, leading to credential theft. The rule contains conditions to filter out high-trust sender domains and those passing DMARC checks, enhancing the likelihood of detecting threats from unknown or less trustworthy sources.