diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml
new file mode 100644
index 00000000000..b929c268a99
--- /dev/null
+++ b/detection-rules/qr_code_suspicious_indicators.yml
@@ -0,0 +1,59 @@
+name: "QR Code with suspicious indicators"
+description: |
+  This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    length(attachments) <= 3
+    and (
+      any(attachments,
+          .file_type in $file_types_images and (any(file.explode(.), .scan.qr.type == "url"))
+      )
+      or (
+        length(attachments) == 0
+        and any(file.explode(beta.message_screenshot()), .scan.qr.type == "url")
+      )
+    )
+    and not sender.email.domain.root_domain in $org_display_names
+    and (
+      any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
+      or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part))
+      or length(body.current_thread.text) is null
+      or body.current_thread.text == ""
+      or regex.contains(subject.subject,
+                        "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
+      )
+      or (any(recipients.to, strings.icontains(subject.subject, .display_name)))
+      or (
+        (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
+        and length(recipients.cc) == 0
+        and length(recipients.bcc) == 0
+      )
+    )
+  )
+  
+  // sender profile is new or outlier
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+        profile.by_sender().any_messages_malicious_or_spam
+        and not profile.by_sender().any_false_positives
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Computer Vision"
+  - "Natural Language Understanding"
+  - "QR code analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "04f5c34f-6518-512d-916c-4c2c2827c6a9"