Attachment: EML with QR code redirecting to Cloudflare challenges

 1name: "Attachment: EML with QR code redirecting to Cloudflare challenges"
 2description: "Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(recipients.to) == 1
 8  and recipients.to[0].email.domain.valid
 9  and any(attachments,
10          // Email Attachments
11          any(file.parse_eml(.).attachments,
12              (
13                // looks for office docs in the attached eml
14                .file_extension in $file_extensions_macros
15                and any(file.explode(.),
16                        .scan.qr.type == "url"
17                        and regex.icontains(ml.link_analysis(.scan.qr.url).final_dom.raw,
18                                            'challenges\.cloudflare\.com',
19                        )
20                )
21              )
22              or (
23                // looks for pdfs and images in the attached eml
24                //
25                // This rule makes use of a beta feature and is subject to change without notice
26                // using the beta feature in custom rules is not suggested until it has been formally released
27                //
28                any(beta.scan_qr(.).items,
29                    .type is not null
30                    and regex.icontains(ml.link_analysis(.url).final_dom.raw,
31                                        'challenges\.cloudflare\.com'
32                    )
33                )
34              )
35          )
36  )  
37
38attack_types:
39  - "Credential Phishing"
40  - "Malware/Ransomware"
41tactics_and_techniques:
42  - "Evasion"
43  - "QR code"
44detection_methods:
45  - "File analysis"
46  - "QR code analysis"
47  - "URL analysis"
48  - "Archive analysis"
49id: "86197d42-4547-57da-994d-0b798a71ea83"