Detects inbound emails with a single recipient containing attachments that may abuse embedded QR codes to redirect to Cloudflare challenge pages. The rule parses EML attachments, identifies office documents (via file_extensions_macros) or PDFs/images, and scans for embedded QR codes. It evaluates URLs found in QR codes (or beta QR scan results) by resolving the final domain with link analysis and flags if the domain resolves to challenges.cloudflare.com, indicating an attempt to bypass controls via a Cloudflare Turnstile/Challenge flow. The approach combines file analysis, QR code analysis, URL analysis, and archive exploration to identify maldoc/redirect-based phishing vectors using QR codes. This is categorized as a low-severity detection aimed at early warning of evasion techniques that leverage QR-encoded redirects.