Attachment: HTML smuggling - QR Code with suspicious links
This rule detects messages with HTML attachments containing QR codes
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling - QR Code with suspicious links"
2description: "This rule detects messages with HTML attachments containing QR codes"
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and 1 <= length(attachments) < 3
8
9 // inspects HTML attachments for QR codes
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
13 or (
14 .file_extension is null
15 and .file_type == "unknown"
16 and .content_type == "application/octet-stream"
17 )
18 or .file_extension in~ $file_extensions_common_archives
19 or .file_type == "html"
20 or .content_type == "text/html"
21 )
22 and any(file.explode(file.html_screenshot(.)),
23 // any URL
24 ml.link_analysis(.scan.qr.url).submitted
25 // currently we won't pick it up as a URL if it's
26 // not prefaced with a scheme. this is not very strong,
27 // but it's unlikely to cause FPs for this rule
28 or regex.contains(.scan.qr.data, '\.')
29 )
30 )
31
32 // negate highly trusted sender domains unless they fail DMARC authentication
33 and (
34 (
35 sender.email.domain.root_domain in $high_trust_sender_root_domains
36 and not headers.auth_summary.dmarc.pass
37 )
38 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39 )
40 and (
41 not profile.by_sender().solicited
42 or (
43 profile.by_sender().any_messages_malicious_or_spam
44 and not profile.by_sender().any_messages_benign
45 )
46 )
47 and not profile.by_sender().any_messages_benign
48attack_types:
49 - "Credential Phishing"
50tactics_and_techniques:
51 - "QR code"
52detection_methods:
53 - "Computer Vision"
54 - "Header analysis"
55 - "Natural Language Understanding"
56 - "QR code analysis"
57 - "Sender analysis"
58 - "URL analysis"
59 - "URL screenshot"
60id: "010e757d-f569-5f25-b68b-832edb5e1120"