Attachment: HTML smuggling - QR Code with suspicious links
This rule detects messages with HTML attachments containing QR codes
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling - QR Code with suspicious links"
2description: "This rule detects messages with HTML attachments containing QR codes"
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and 1 <= length(attachments) < 3
8
9 // inspects HTML attachments for QR codes
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
13 or (
14 .file_extension is null
15 and .file_type == "unknown"
16 and .content_type == "application/octet-stream"
17 )
18 or .file_extension in~ $file_extensions_common_archives
19 or .file_type == "html"
20 or .content_type == "text/html"
21 )
22 and any(file.explode(file.html_screenshot(.)),
23 // any URL
24 ml.link_analysis(.scan.qr.url).submitted
25 // currently we won't pick it up as a URL if it's
26 // not prefaced with a scheme. this is not very strong,
27 // but it's unlikely to cause FPs for this rule
28 or regex.contains(.scan.qr.data, '\.')
29 )
30 )
31
32 // negate highly trusted sender domains unless they fail DMARC authentication
33 and (
34 (
35 sender.email.domain.root_domain in $high_trust_sender_root_domains
36 and not headers.auth_summary.dmarc.pass
37 )
38 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39 )
40
41 and (
42 not profile.by_sender().solicited
43 or (
44 profile.by_sender().any_messages_malicious_or_spam
45 and not profile.by_sender().any_false_positives
46 )
47 )
48 and not profile.by_sender().any_false_positives
49attack_types:
50 - "Credential Phishing"
51tactics_and_techniques:
52 - "QR code"
53detection_methods:
54 - "Computer Vision"
55 - "Header analysis"
56 - "Natural Language Understanding"
57 - "QR code analysis"
58 - "Sender analysis"
59 - "URL analysis"
60 - "URL screenshot"
61id: "010e757d-f569-5f25-b68b-832edb5e1120"