Attachment: Compensation review lure with QR code
Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.
Sublime rule (View on GitHub)
1name: "Attachment: Compensation review lure with QR code"
2description: "Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 (
9 length(attachments) == 1
10 and any(attachments, .content_type == "application/pdf")
11 )
12 and (
13 // short or null message body
14 (
15 length(body.current_thread.text) < 500 or body.current_thread.text is null
16 )
17 // ignore disclaimers in body length calculation
18 or (
19 any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
20 .name == "disclaimer"
21 ),
22 .text
23 ),
24 (length(body.current_thread.text) - length(.)) < 500
25 )
26 )
27 )
28 )
29 and (
30 // attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
31 any(attachments,
32 // add conditions for pdf attachment
33 (
34 regex.icontains(.file_name,
35 'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
36 )
37 // recipient email SLD in filename
38 or any(recipients.to,
39 strings.icontains(..file_name, .email.domain.sld)
40 and .email.domain.valid
41 )
42 )
43 // add conditions for text and any QR code within the pdf attachment
44 and (
45 // conditions for QR code via text
46 any(file.explode(.),
47 any([.scan.strings.raw, .scan.ocr.raw],
48 regex.icontains(., 'scan|camera')
49 and regex.icontains(., '\bQR\b|Q\.R\.|barcode')
50 )
51 )
52 or any(file.explode(.),
53 .scan.qr.type == "url" and .scan.qr.url.domain.valid
54 )
55 )
56 // conditions for text
57 and any(file.explode(.),
58 // review/change terms in file content
59 any([.scan.strings.raw, .scan.ocr.raw],
60 (
61 regex.icontains(.,
62 '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation)\b'
63 )
64 )
65 )
66 or (
67 // recipient local_part in attachment body
68 any(recipients.to,
69 strings.contains(..scan.ocr.raw, .email.local_part)
70 )
71 and (
72 // NLU cred_theft disposition
73 any(ml.nlu_classifier(.scan.ocr.raw).intents,
74 .name == "cred_theft" and .confidence != "low"
75 )
76 // suspicious topics
77 and any(ml.nlu_classifier(.scan.ocr.raw).topics,
78 .name in (
79 "Benefit Enrollment",
80 "Financial Communications"
81 )
82 and .confidence != "low"
83 )
84 )
85 )
86 )
87 )
88 )
89 and (
90 not profile.by_sender_email().solicited
91 or not profile.by_sender_email().any_messages_benign
92 or (
93 profile.by_sender_email().any_messages_malicious_or_spam
94 and not profile.by_sender_email().any_messages_benign
95 )
96 // account for spoofed sender domains
97 or (
98 sender.email.domain.domain in $org_domains
99 and not coalesce(headers.auth_summary.dmarc.pass, false)
100 )
101 )
102
103 // negate highly trusted sender domains unless they fail DMARC authentication
104 and (
105 (
106 sender.email.domain.root_domain in $high_trust_sender_root_domains
107 and not headers.auth_summary.dmarc.pass
108 )
109 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
110 )
111attack_types:
112 - "Credential Phishing"
113tactics_and_techniques:
114 - "PDF"
115 - "QR code"
116 - "Social engineering"
117detection_methods:
118 - "File analysis"
119 - "Optical Character Recognition"
120 - "QR code analysis"
121 - "Natural Language Understanding"
122 - "Sender analysis"
123 - "Header analysis"
124id: "9fd8185c-e2a7-50d0-895d-9f6b1a1c43ab"