This detection rule aims to identify phishing attempts utilizing Google-branded QR codes included in messages from unsolicited senders. The rule activates for messages with a body length less than 1000 characters and checks for keywords related to two-factor authentication (2FA) and QR codes in the subject or message content. It inspects attachments for common file types that may contain malicious payloads (like images or PDFs), searching for logos from Google as indicators of impersonation. The rule further analyzes the metadata of the attachments, including text scans for terms indicative of QR codes or camera actions. Additionally, the sender's reputation is considered with specific conditions to filter out false positives, ensuring the detection prioritizes suspicious sources over legitimate high-trust senders, unless there are failures in DMARC authentication. By combining techniques from computer vision, header analysis, QR code analysis, and sender reputation, this rule effectively targets credential phishing methodologies associated with brand impersonation through deceptive QR codes.