This detection rule identifies potential credential phishing attempts via email that utilize the Constant Contact link tracking infrastructure, specifically focusing on links from the domain 'rs6.net'. The rule checks emails against certain conditions, including the number of links in the email body and attachments containing malicious QR codes that point to the rs6.net domain. It excludes legitimate emails originating from Constant Contact by analyzing SPF, DKIM, and DMARC authentication results, ensuring only those that fail these checks are assessed as suspicious. The rule further negates responses to previous emails, such as replies or forwards, and it assesses sender reputation, flagging new or rare sender profiles.