Attachment: PDF with QR code containing recipient-specific credential theft content

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        ( // the strings produced by the PDF scanner contains cred theft language
          any(filter(file.explode(.), .depth == 1 and .file_name == "text"),
              any(ml.nlu_classifier(.scan.strings.raw).intents,
                  .name == "cred_theft"
              )
          )
        )
        // there is a QR code
        and length(beta.scan_qr(.).items) > 0
        // QR code contians the recipient email
        and any(beta.scan_qr(.).items,
                .url.domain.valid
                and any(recipients.to,
                        .email.domain.valid
                        // QR code contains the email
                        and (
                          strings.icontains(..url.url, .email.email)
                          // QR code contains the base64 endcoded email
                          or any(strings.scan_base64(..url.url,
                                                     format="url",
                                                     ignore_padding=true
                                 ),
                                 strings.icontains(., ..email.email)
                          )
                        )
                )
        )
)