Attachment: Compensation-themed DOCX with QR code credential theft
Detects inbound messages containing DOCX attachments with compensation or benefit-related themes that include QR codes and suspicious indicators. The rule identifies files with reward/benefit language in filenames, compensation-related content in document metadata, and QR codes that may redirect to credential theft pages. It uses natural language processing to detect credential theft intent and suspicious topics like benefit enrollment or financial communications.
Sublime rule (View on GitHub)
1name: "Attachment: Compensation-themed DOCX with QR code credential theft"
2description: |
3 Detects inbound messages containing DOCX attachments with compensation or benefit-related themes that include QR codes and suspicious indicators.
4 The rule identifies files with reward/benefit language in filenames, compensation-related content in document metadata, and QR codes that may redirect to credential theft pages.
5 It uses natural language processing to detect credential theft intent and suspicious topics like benefit enrollment or financial communications.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 length(filter(attachments, .file_type == "docx")) >= 1
12 and (
13 // short or null message body
14 (
15 length(body.current_thread.text) < 500 or body.current_thread.text is null
16 )
17 // ignore disclaimers in body length calculation
18 or (
19 any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
20 .name == "disclaimer"
21 ),
22 .text
23 ),
24 (length(body.current_thread.text) - length(.)) < 500
25 )
26 )
27 )
28 )
29 and (
30 // attached DOCX contains a compensation review themed lure with a QR code and suspicious indicators
31 any(filter(attachments, .file_type == "docx"),
32 // add conditions for DOCX attachment
33 (
34 regex.icontains(.file_name,
35 '(?:salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting|employee.*(?:reward|benefit)s?)'
36 )
37 // recipient email SLD in filename
38 or any(recipients.to,
39 strings.icontains(..file_name, .email.domain.sld)
40 and .email.domain.valid
41 )
42 or regex.icontains(beta.parse_exif(.).title,
43 '(?:salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting|employee.*(?:reward|benefit)s?)'
44 )
45 )
46 // add conditions for text and any QR code within the DOCX attachment
47 and (
48 // conditions for QR code via text
49 any(file.explode(.),
50 any([.scan.strings.raw, .scan.ocr.raw],
51 regex.icontains(., 'scan|camera|review and sign')
52 and regex.icontains(., '\bQR\b|Q\.R\.|barcode')
53 )
54 or (
55 .scan.qr.type == "url"
56 and .scan.qr.url.url is not null
57 and any(recipients.to,
58 .email.domain.valid
59 and (
60 strings.icontains(..scan.qr.url.url, .email.email)
61 or any(strings.scan_base64(..scan.qr.url.url,
62 format="url"
63 ),
64 strings.icontains(., ..email.email)
65 )
66 )
67 )
68 )
69 )
70 or any(file.explode(.),
71 .scan.qr.type == "url" and .scan.qr.url.domain.valid
72 )
73 )
74 // conditions for text
75 and any(file.explode(.),
76 // review/change terms in file content
77 any([.scan.strings.raw, .scan.ocr.raw, .scan.exiftool.title],
78 (
79 regex.icontains(.,
80 '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (?:increment|deduction))\b'
81 )
82 )
83 )
84 or (
85 // recipient local_part in attachment body
86 any(recipients.to,
87 strings.contains(..scan.ocr.raw, .email.local_part)
88 )
89 and (
90 // NLU cred_theft disposition
91 any(ml.nlu_classifier(.scan.ocr.raw).intents,
92 .name == "cred_theft" and .confidence != "low"
93 )
94 // suspicious topics
95 and any(ml.nlu_classifier(.scan.ocr.raw).topics,
96 .name in (
97 "Benefit Enrollment",
98 "Financial Communications"
99 )
100 and .confidence != "low"
101 )
102 )
103 )
104 )
105 )
106 )
107
108 // negate highly trusted sender domains unless they fail DMARC authentication
109 and not (
110 sender.email.domain.root_domain in $high_trust_sender_root_domains
111 and coalesce(headers.auth_summary.dmarc.pass, false)
112 )
113attack_types:
114 - "Credential Phishing"
115tactics_and_techniques:
116 - "QR code"
117 - "Social engineering"
118 - "Impersonation: Brand"
119detection_methods:
120 - "File analysis"
121 - "Optical Character Recognition"
122 - "QR code analysis"
123 - "Natural Language Understanding"
124 - "Exif analysis"
125 - "Content analysis"
126id: "a2455111-b689-5004-b7cb-db1407297e0b"