Attachment: PDF with QR code containing recipient-specific credential theft content

calendar Jun 10, 2026  ·
Share on: linkedin copy

Detects PDF attachments containing QR codes that include the recipient's email address (either plaintext or base64 encoded) combined with credential theft language detected through natural language processing. This technique personalizes the attack by incorporating the target's email into the QR code URL while using PDF content to establish credibility.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with QR code containing recipient-specific credential theft content"
 2description: "Detects PDF attachments containing QR codes that include the recipient's email address (either plaintext or base64 encoded) combined with credential theft language detected through natural language processing. This technique personalizes the attack by incorporating the target's email into the QR code URL while using PDF content to establish credibility."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          ( // the strings produced by the PDF scanner contains cred theft language
 9            any(filter(file.explode(.), .depth == 1 and .file_name == "text"),
10                any(ml.nlu_classifier(.scan.strings.raw).intents,
11                    .name == "cred_theft"
12                )
13            )
14          )
15          // there is a QR code
16          and length(beta.scan_qr(.).items) > 0
17          // QR code contians the recipient email
18          and any(beta.scan_qr(.).items,
19                  .url.domain.valid
20                  and any(recipients.to,
21                          .email.domain.valid
22                          // QR code contains the email
23                          and (
24                            strings.icontains(..url.url, .email.email)
25                            // QR code contains the base64 endcoded email
26                            or any(strings.scan_base64(..url.url,
27                                                       format="url",
28                                                       ignore_padding=true
29                                   ),
30                                   strings.icontains(., ..email.email)
31                            )
32                          )
33                  )
34          )
35  )  
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "PDF"
40  - "QR code"
41  - "Social engineering"
42detection_methods:
43  - "File analysis"
44  - "Natural Language Understanding"
45  - "QR code analysis"
46  - "Content analysis"
47id: "c8b85214-fe8e-52b0-868a-be0b040c5e60"
to-top