This detection rule targets phishing attempts using QR codes embedded in image attachments. It starts by analyzing inbound email and checks if any included attachments, primarily images or PDFs, contain QR codes. The rule detects if the URLs within those QR codes include the recipient's email address, signaling a potential phishing attempt, especially if the URL is not associated with the organization's trusted domains. Further, the email body is scrutinized using Natural Language Processing (NLP) techniques to detect terminology commonly associated with credential theft. The rule also reviews the attachments for any suspicious keywords related to multifactor authentication and QR codes. Moreover, it assesses the sender's reputation based on historical message behavior and checks for authentication failures through DMARC. This comprehensive approach allows the rule to robustly detect sophisticated phishing strategies that utilize QR codes and aim to compromise credentials.