QR code to auto-download of a suspicious file type (unsolicited)

type.inbound
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and beta.scan_qr(file.message_screenshot()).found
and any(beta.scan_qr(file.message_screenshot()).items,
        any(ml.link_analysis(.url).files_downloaded,
            strings.ilike(.file_name, "*.exe")
            or .file_extension in (
              "dll",
              "exe",
              "html",
              "lnk",
              "js",
              "vba",
              "vbs",
              "vbe",
              "bat",
              "py",
              "ics",
              "sh",
              "ps1"
            )
            // or call file.explode to get yara/mime types
            or any(file.explode(.),
                   // file ext is not dll but is exe mime/yara
                   (
                     .file_extension not in ("dll", "exe")
                     and (
                       .flavors.mime in ("application/x-dosexec")
                       or any(.flavors.yara, . in ('mz_file'))
                     )
                   )
                   // or a macho file
                   or any(.flavors.yara, . == "macho_file")
            )
        )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)