Detects inbound calendar attachments (.ics) that embed a QR code containing the recipient’s email address. The rule targets credential theft campaigns that personalize phishing by placing the target’s address inside ICS-based event data or within the QR payload. It flags attachments with ICS file types or content types, uses a beta ICS parser to enumerate calendar events, and applies a QR code reader to the attachment’s description/HTML representation. The decoded QR data or the URL data is then scanned for the recipient’s email (recipients.to[0].email.email) in the URL, URL fragment, or base64-encoded content. A match indicates a high-severity credential-phishing attempt. Note that this rule relies on beta features (ICS parsing and QR extraction) and may change as the feature set evolves. Detection methods combine file analysis, QR code analysis, URL analysis, and content analysis to identify personalized, mail-based social-engineering campaigns.