Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft (QR code)"
2description: |
3 Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 .file_type in $file_types_images
11 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
12 )
13 or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
14 )
15 and any(attachments,
16 .file_type in $file_types_images
17 and (
18 any(file.explode(.),
19 regex.icontains(.scan.ocr.raw, 'scan|camera')
20 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
21 )
22 )
23 or (
24 any(file.explode(.),
25 .scan.qr.type == "url"
26 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
27 and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
28 )
29 )
30 )
31 and (
32 not any(headers.hops,
33 .authentication_results.compauth.verdict is not null
34 and .authentication_results.compauth.verdict == "pass"
35 and sender.email.domain.domain == "microsoft.com"
36 )
37 )
38 // unsolicited
39 and (
40 (
41 sender.email.domain.root_domain in $free_email_providers
42 and sender.email.email not in $recipient_emails
43 )
44 or (
45 sender.email.domain.root_domain not in $free_email_providers
46 and sender.email.domain.domain not in $recipient_domains
47 )
48 )
49attack_types:
50 - "Credential Phishing"
51tactics_and_techniques:
52 - "Impersonation: Brand"
53 - "QR code"
54 - "Social engineering"
55detection_methods:
56 - "Computer Vision"
57 - "Header analysis"
58 - "QR code analysis"
59 - "Sender analysis"
60id: "ed0f772a-6543-5947-80d1-55a11ea63074"