Attachment: HTML smuggling - QR Code with suspicious links

This rule detects messages with HTML attachments containing QR codes

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling - QR Code with suspicious links"
 2description: "This rule detects messages with HTML attachments containing QR codes"
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and 1 <= length(attachments) < 3
 8  
 9  // inspects HTML attachments for QR codes
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
13            or (
14              .file_extension is null
15              and .file_type == "unknown"
16              and .content_type == "application/octet-stream"
17            )
18            or .file_extension in~ $file_extensions_common_archives
19            or .file_type == "html"
20            or .content_type == "text/html"
21          )
22          and any(file.explode(file.html_screenshot(.)),
23                  // any URL
24                  beta.linkanalysis(.scan.qr.url).submitted
25                  // currently we won't pick it up as a URL if it's
26                  // not prefaced with a scheme. this is not very strong,
27                  // but it's unlikely to cause FPs for this rule
28                  or regex.contains(.scan.qr.data, '\.')
29          )
30  )
31  
32  // negate highly trusted sender domains unless they fail DMARC authentication
33  and (
34    (
35      sender.email.domain.root_domain in $high_trust_sender_root_domains
36      and (
37        any(distinct(headers.hops, .authentication_results.dmarc is not null),
38            strings.ilike(.authentication_results.dmarc, "*fail")
39        )
40      )
41    )
42    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
43  )
44  and (
45    not profile.by_sender().solicited
46    or (
47      profile.by_sender().any_messages_malicious_or_spam
48      and not profile.by_sender().any_false_positives
49    )
50  )
51  and not profile.by_sender().any_false_positives  
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "QR code"
56detection_methods:
57  - "Computer Vision"
58  - "Header analysis"
59  - "Natural Language Understanding"
60  - "QR code analysis"
61  - "Sender analysis"
62  - "URL analysis"
63  - "URL screenshot"
64id: "010e757d-f569-5f25-b68b-832edb5e1120"
to-top