Attachment: Compensation review lure with QR code

Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.

Sublime rule (View on GitHub)

  1name: "Attachment: Compensation review lure with QR code"
  2description: "Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(attachments) == 1
 10      and any(attachments, .content_type == "application/pdf")
 11    )
 12    and (
 13      // short or null message body
 14      (
 15        length(body.current_thread.text) < 500 or body.current_thread.text is null
 16      )
 17      // ignore disclaimers in body length calculation
 18      or (
 19        any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
 20                       .name == "disclaimer"
 21                ),
 22                .text
 23            ),
 24            (length(body.current_thread.text) - length(.)) < 500
 25        )
 26      )
 27    )
 28  )
 29  and (
 30    // attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
 31    any(attachments,
 32        // add conditions for pdf attachment
 33        (
 34          regex.icontains(.file_name,
 35                          'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
 36          )
 37          // recipient email SLD in filename
 38          or any(recipients.to,
 39                 strings.icontains(..file_name, .email.domain.sld)
 40                 and .email.domain.valid
 41          )
 42        )
 43        // add conditions for text and any QR code within the pdf attachment
 44        and (
 45          // conditions for QR code via text
 46          any(file.explode(.),
 47              any([.scan.strings.raw, .scan.ocr.raw],
 48                  regex.icontains(., 'scan|camera')
 49                  and regex.icontains(., '\bQR\b|Q\.R\.|barcode')
 50              )
 51          )
 52          or any(file.explode(.),
 53                 .scan.qr.type == "url" and .scan.qr.url.domain.valid
 54          )
 55        )
 56        // conditions for text
 57        and any(file.explode(.),
 58                // review/change terms in file content      
 59                any([.scan.strings.raw, .scan.ocr.raw],
 60                    (
 61                      regex.icontains(.,
 62                                      '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation)\b'
 63                      )
 64                    )
 65                )
 66                or (
 67                  // recipient local_part in attachment body
 68                  any(recipients.to,
 69                      strings.contains(..scan.ocr.raw, .email.local_part)
 70                  )
 71                  and (
 72                    // NLU cred_theft disposition
 73                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
 74                        .name == "cred_theft" and .confidence != "low"
 75                    )
 76                    // suspicious topics
 77                    and any(ml.nlu_classifier(.scan.ocr.raw).topics,
 78                            .name in (
 79                              "Benefit Enrollment",
 80                              "Financial Communications"
 81                            )
 82                            and .confidence != "low"
 83                    )
 84                  )
 85                )
 86        )
 87    )
 88  )
 89  and (
 90    not profile.by_sender_email().solicited
 91    or not profile.by_sender_email().any_messages_benign
 92    or (
 93      profile.by_sender_email().any_messages_malicious_or_spam
 94      and not profile.by_sender_email().any_messages_benign
 95    )
 96    // account for spoofed sender domains
 97    or (
 98      sender.email.domain.domain in $org_domains
 99      and not coalesce(headers.auth_summary.dmarc.pass, false)
100    )
101  )
102  
103  // negate highly trusted sender domains unless they fail DMARC authentication
104  and (
105    (
106      sender.email.domain.root_domain in $high_trust_sender_root_domains
107      and not headers.auth_summary.dmarc.pass
108    )
109    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
110  )  
111attack_types:
112  - "Credential Phishing"
113tactics_and_techniques:
114  - "PDF"
115  - "QR code"
116  - "Social engineering"
117detection_methods:
118  - "File analysis"
119  - "Optical Character Recognition"
120  - "QR code analysis"
121  - "Natural Language Understanding"
122  - "Sender analysis"
123  - "Header analysis"
124id: "9fd8185c-e2a7-50d0-895d-9f6b1a1c43ab"
to-top