This detection rule identifies email messages containing attachments that include QR codes, specifically targeting the recipient's email address. The rule looks for attachments with a QR code URL or fragment where the path contains special characters, such as '!' or '@', indicating a potential phishing attempt. It checks for a simple path structure—two segments separated by a '/'—and observes for suspicious endings like '$' or '*', which might suggest an obfuscated URL. The recipient's email address may appear within the URL's path or fragment, either in plain text or base64 encoded form. If an email with only one valid recipient matches these criteria, the rule triggers a high-severity alert, indicating potential credential phishing via social engineering tactics involving a QR code.