This detection rule targets PDF attachments in unsolicited communications that contain themes related to compensation or payroll, particularly when accompanied by QR codes. The rule is triggered by the presence of a single PDF attachment in the email, which must have a short or null message body. It applies various conditions to determine if the PDF's content or filename contains specific terms related to compensation (e.g., salary, bonus, remuneration), often associated with malicious intents such as credential theft. Additionally, the rule checks for the QR code's type and associated URL to ensure it's not a legitimate link. Any suspicious sender profiles that might not have a history of benign messages will trigger this detection, especially if they show signs of phishing or spam behavior. Notably, the rule has a high severity due to the potential for credential theft and utilizes advanced methods including optical character recognition, file and sender analysis, and natural language understanding to identify threats effectively.