This detection rule targets the auto-download of potentially malicious files through QR codes embedded in unsolicited emails. When a user scans a QR code in the email, it may unintentionally initiate a download of harmful file types such as LNK, JS, or VBA. The rule utilizes recursive file processing to unpack and analyze downloaded files within any archives to identify these malicious extensions. It pays special attention to files downloaded from links analyzed via machine learning and examines their extensions to check against a defined list of dangerous types. Additionally, the rule filters legitimate communications by negating highly trusted sender domains unless they fail DMARC authentication checks. The profile checks ensure that the emails from the sender are unsolicited, or if they show signs of previous malicious activity, they shouldn't be flagged as false positives. Overall, this rule combines multiple analyses, including sender validation and file type examination, to detect and prevent the delivery of malware through QR codes.