Attachment: Compensation review lure with QR code

Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.

Sublime rule (View on GitHub)

  1name: "Attachment: Compensation review lure with QR code"
  2description: "Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(attachments) == 1
 10      and any(attachments, .content_type == "application/pdf")
 11    )
 12    and (
 13      // short or null message body
 14      (
 15        length(body.current_thread.text) < 500 or body.current_thread.text is null
 16      )
 17      // ignore disclaimers in body length calculation
 18      or (
 19        any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
 20                       .name == "disclaimer"
 21                ),
 22                .text
 23            ),
 24            (length(body.current_thread.text) - length(.)) < 500
 25        )
 26      )
 27    )
 28  )
 29  and (
 30    // attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
 31    any(attachments,
 32        any(file.explode(.),
 33            (
 34              (
 35                regex.icontains(.scan.ocr.raw, 'scan|camera')
 36                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
 37              )
 38              or .scan.qr.type == "url" and .scan.qr.url.domain.valid
 39            )
 40            // pay-related terms in filename
 41            and (
 42              (
 43                regex.icontains(.file_name,
 44                                'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
 45                )
 46                // review/change terms in file content
 47                or regex.icontains(.scan.ocr.raw,
 48                                   '\b(Remuneration Overview|Updated Compensation (Summary|Schedule|Details)|Access Your Statements?)\b'
 49                )
 50              )
 51              or (
 52                (
 53                  // recipient email SLD in filename
 54                  any(recipients.to,
 55                      strings.icontains(..file_name, .email.domain.sld)
 56                      and .email.domain.valid
 57                  )
 58                  // recipient local_part in attachment body
 59                  and any(recipients.to,
 60                          strings.contains(..scan.ocr.raw, .email.local_part)
 61                  )
 62                )
 63                and (
 64                  // NLU cred_theft disposition
 65                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
 66                      .name == "cred_theft" and .confidence != "low"
 67                  )
 68                  // suspicious topics
 69                  and any(beta.ml_topic(.scan.ocr.raw).topics,
 70                         .name in (
 71                           "Benefit Enrollment",
 72                           "Financial Communications"
 73                         )
 74                         and .confidence != "low"
 75                  )
 76                )
 77              )
 78            )
 79        )
 80    )
 81  )
 82  and (
 83    not profile.by_sender_email().solicited
 84    or not profile.by_sender_email().any_messages_benign
 85    or (
 86      profile.by_sender_email().any_messages_malicious_or_spam
 87      and not profile.by_sender_email().any_messages_benign
 88    )
 89    // account for spoofed sender domains
 90    or (
 91      sender.email.domain.domain in $org_domains
 92      and not coalesce(headers.auth_summary.dmarc.pass, false)
 93    )
 94  )
 95  
 96  // negate highly trusted sender domains unless they fail DMARC authentication
 97  and (
 98    (
 99      sender.email.domain.root_domain in $high_trust_sender_root_domains
100      and not headers.auth_summary.dmarc.pass
101    )
102    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
103  )  
104
105attack_types:
106  - "Credential Phishing"
107tactics_and_techniques:
108  - "PDF"
109  - "QR code"
110  - "Social engineering"
111detection_methods:
112  - "File analysis"
113  - "Optical Character Recognition"
114  - "QR code analysis"
115  - "Natural Language Understanding"
116  - "Sender analysis"
117  - "Header analysis"
118id: "9fd8185c-e2a7-50d0-895d-9f6b1a1c43ab"
to-top