This detection rule focuses on identifying potentially malicious QR codes embedded within EML attachments that are often employed in credential phishing attacks. The rule operates by analyzing inbound emails with attachments, specifically looking for a single file that either has the MIME type 'message/rfc822' or a file extension of '.eml'. Once such an attachment is identified, the rule further inspects the content for QR codes that lead to URLs. It assesses these URLs using link analysis techniques to determine if they are flagged as phishing sites or suggesting an open redirect vulnerability, which is a common tactic used by attackers to disguise malicious links. Additionally, the rule checks to ensure that the domain associated with the QR code is not part of the organization’s known domains to prevent false positives from legitimate sources. Detections made by this rule will be classified with a 'high' severity due to the significant risk posed by credential theft. The rule employs multiple detection methods, including computer vision for QR processing, as well as various content and file analysis techniques.