Brand Impersonation: Google (QR Code)

calendar Oct 17, 2025  ·
Share on: linkedin copy

Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Google (QR Code)"
 2description: "Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and any([subject.subject, sender.display_name, body.current_thread.text],
 9          regex.icontains(.,
10                          '(\b2fa\b|\bQ.?R\.?\s?\b|MFA|Muti[ -]?Factor|(Auth(enticat|e|or|ion))?)'
11          )
12  )
13  and (
14    any(attachments,
15        (
16          .file_type in $file_types_images
17          or .file_type == "pdf"
18          or .file_type in~ $file_extensions_macros
19        )
20        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
21    )
22    or any(ml.logo_detect(file.message_screenshot()).brands,
23           strings.starts_with(.name, "Google")
24    )
25  )
26  and any(attachments,
27          (
28            .file_type in $file_types_images
29            or .file_type == "pdf"
30            or .file_type in $file_extensions_macros
31          )
32          and (
33            any(file.explode(.),
34                regex.icontains(.scan.ocr.raw, 'scan|camera')
35                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
36            )
37            or any(file.explode(.),
38                   .scan.qr.type is not null
39                   and regex.contains(.scan.qr.data, '\.')
40            )
41            or (
42              //
43              // This rule makes use of a beta feature and is subject to change without notice
44              // using the beta feature in custom rules is not suggested until it has been formally released
45              //
46              beta.parse_exif(file.message_screenshot()).image_height < 2000
47              and beta.parse_exif(file.message_screenshot()).image_width < 2000
48              and any(beta.scan_qr(file.message_screenshot()).items,
49                      .type is not null and regex.contains(.data, '\.')
50              )
51            )
52          )
53  )
54  and (
55    not profile.by_sender().solicited
56    or (
57      profile.by_sender().any_messages_malicious_or_spam
58      and not profile.by_sender().any_messages_benign
59    )
60  )
61  and not profile.by_sender().any_messages_benign
62  
63  // negate highly trusted sender domains unless they fail DMARC authentication
64  and (
65    (
66      sender.email.domain.root_domain in $high_trust_sender_root_domains
67      and (
68        any(distinct(headers.hops, .authentication_results.dmarc is not null),
69            strings.ilike(.authentication_results.dmarc, "*fail")
70        )
71      )
72    )
73    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74  )  
75attack_types:
76  - "Credential Phishing"
77tactics_and_techniques:
78  - "Impersonation: Brand"
79  - "PDF"
80  - "QR code"
81detection_methods:
82  - "Computer Vision"
83  - "Header analysis"
84  - "QR code analysis"
85  - "Sender analysis"
86id: "7ffd184c-d936-5894-9d5a-cd1fbd105a0d"
to-top