Attachment: Compensation review lure with QR code
Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.
Sublime rule (View on GitHub)
1name: "Attachment: Compensation review lure with QR code"
2description: "Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 any(attachments, .content_type == "application/pdf" or .file_type == "pdf")
9 and (
10 // short or null message body
11 (
12 length(body.current_thread.text) < 500 or body.current_thread.text is null
13 )
14 // ignore disclaimers in body length calculation
15 or (
16 any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
17 .name == "disclaimer"
18 ),
19 .text
20 ),
21 (length(body.current_thread.text) - length(.)) < 500
22 )
23 )
24 )
25 )
26 and (
27 // attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
28 any(attachments,
29 // add conditions for pdf attachment
30 (
31 regex.icontains(.file_name,
32 'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
33 )
34 // recipient email SLD in filename
35 or any(recipients.to,
36 strings.icontains(..file_name, .email.domain.sld)
37 and .email.domain.valid
38 )
39 or regex.icontains(beta.parse_exif(.).title,
40 'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
41 )
42 )
43 // add conditions for text and any QR code within the pdf attachment
44 and (
45 // conditions for QR code via text
46 any(file.explode(.),
47 any([.scan.strings.raw, .scan.ocr.raw],
48 regex.icontains(., 'scan|camera|review and sign')
49 and regex.icontains(., '\bQR\b|Q\.R\.|barcode')
50 )
51 )
52 or any(file.explode(.),
53 .scan.qr.type == "url" and .scan.qr.url.domain.valid
54 )
55 )
56 // conditions for text
57 and any(file.explode(.),
58 // review/change terms in file content
59 any([.scan.strings.raw, .scan.ocr.raw, .scan.exiftool.title],
60 (
61 regex.icontains(.,
62 '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (?:increment|deduction))\b'
63 )
64 )
65 )
66 or (
67 // recipient local_part in attachment body
68 any(recipients.to,
69 strings.contains(..scan.ocr.raw, .email.local_part)
70 )
71 and (
72 // NLU cred_theft disposition
73 any(ml.nlu_classifier(.scan.ocr.raw).intents,
74 .name == "cred_theft" and .confidence != "low"
75 )
76 // suspicious topics
77 and any(ml.nlu_classifier(.scan.ocr.raw).topics,
78 .name in (
79 "Benefit Enrollment",
80 "Financial Communications"
81 )
82 and .confidence != "low"
83 )
84 )
85 )
86 )
87 )
88 )
89 and (
90 not profile.by_sender_email().solicited
91 or not profile.by_sender_email().any_messages_benign
92 or (
93 profile.by_sender_email().any_messages_malicious_or_spam
94 and not profile.by_sender_email().any_messages_benign
95 )
96 // account for spoofed sender domains
97 or (
98 sender.email.domain.domain in $org_domains
99 and not coalesce(headers.auth_summary.dmarc.pass, false)
100 )
101 )
102
103 // negate highly trusted sender domains unless they fail DMARC authentication
104 and (
105 (
106 sender.email.domain.root_domain in $high_trust_sender_root_domains
107 and not headers.auth_summary.dmarc.pass
108 )
109 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
110 )
111attack_types:
112 - "Credential Phishing"
113tactics_and_techniques:
114 - "PDF"
115 - "QR code"
116 - "Social engineering"
117detection_methods:
118 - "File analysis"
119 - "Optical Character Recognition"
120 - "QR code analysis"
121 - "Natural Language Understanding"
122 - "Sender analysis"
123 - "Header analysis"
124id: "9fd8185c-e2a7-50d0-895d-9f6b1a1c43ab"