Brand Impersonation: Google (QR Code)

calendar Apr 3, 2024  ·
Share on: linkedin copy

Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Google (QR Code)"
 2description: "Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and any([subject.subject, sender.display_name, body.current_thread.text],
 9          regex.icontains(.,
10                          '(\b2fa\b|\bQ.?R\.?\s?\b|MFA|Muti[ -]?Factor|(Auth(enticat|e|or|ion))?)'
11          )
12  )
13  and (
14    any(attachments,
15        (
16          .file_type in $file_types_images
17          or .file_type == "pdf"
18          or .file_type in~ $file_extensions_macros
19        )
20        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
21    )
22    or any(ml.logo_detect(beta.message_screenshot()).brands,
23           strings.starts_with(.name, "Google")
24    )
25  )
26  and any(attachments,
27          (
28            .file_type in $file_types_images
29            or .file_type == "pdf"
30            or .file_type in $file_extensions_macros
31          )
32          and (
33            any(file.explode(.),
34                regex.icontains(.scan.ocr.raw, 'scan|camera')
35                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
36            )
37            or (
38              any(file.explode(.),
39                  (
40                    .scan.qr.type is not null
41                    and regex.contains(.scan.qr.data, '\.')
42                  )
43                  or (
44                    any(file.explode(beta.message_screenshot()),
45                        .scan.exiftool.image_height < 2000
46                        and .scan.exiftool.image_width < 2000
47                        and .scan.qr.type is not null
48                        and regex.contains(.scan.qr.data, '\.')
49                    )
50                  )
51              )
52            )
53          )
54  )
55
56  and (
57    not profile.by_sender().solicited
58    or (
59      profile.by_sender().any_messages_malicious_or_spam
60      and not profile.by_sender().any_false_positives
61    )
62  )
63  and not profile.by_sender().any_false_positives
64  
65  // negate highly trusted sender domains unless they fail DMARC authentication
66    and (
67      (
68        sender.email.domain.root_domain in $high_trust_sender_root_domains
69        and (
70          any(distinct(headers.hops, .authentication_results.dmarc is not null),
71              strings.ilike(.authentication_results.dmarc, "*fail")
72          )
73        )
74      )
75      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76    )  
77
78attack_types:
79  - "Credential Phishing"
80tactics_and_techniques:
81  - "Impersonation: Brand"
82  - "PDF"
83  - "QR code"
84detection_methods:
85  - "Computer Vision"
86  - "Header analysis"
87  - "QR code analysis"
88  - "Sender analysis"
89id: "7ffd184c-d936-5894-9d5a-cd1fbd105a0d"
to-top