Attachment: QR code with credential phishing indicators
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
Sublime rule (View on GitHub)
1name: "Attachment: QR code with credential phishing indicators"
2description: |
3 Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and 1 <= length(attachments) < 3
9
10 // Inspects image attachments for QR codes
11 and any(attachments,
12 (.file_type in $file_types_images or .file_type == "pdf")
13 and (
14 any(file.explode(.),
15 .scan.qr.type == "url"
16 and not .scan.qr.url.domain.domain == "geico.app.link"
17 and (
18 // pass the QR URL to LinkAnalysis
19 any([ml.link_analysis(.scan.qr.url)],
20 .credphish.disposition == "phishing"
21
22 // any routing traverses via $suspicious_tld list
23 or any(.redirect_history, .domain.tld in $suspicious_tlds)
24
25 // effective destination in $suspicious_tld list
26 or .effective_url.domain.tld in $suspicious_tlds
27
28 // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
29 or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
30
31 // or any files downloaded are zips or executables
32 or any(.files_downloaded,
33 .file_extension in $file_extensions_common_archives
34 or .file_extension in $file_extensions_executables
35 )
36 )
37 or (
38
39 // or the QR code's root domain is a url_shortener
40 .scan.qr.url.domain.root_domain in $url_shorteners
41 and (
42 not (
43 any(ml.nlu_classifier(body.current_thread.text).intents,
44 .name == "benign"
45 )
46 or any(ml.nlu_classifier(body.current_thread.text).entities,
47 .name == "disclaimer"
48 )
49 )
50 or not any(attachments,
51 any(file.explode(.),
52 any(ml.nlu_classifier(.scan.ocr.raw).intents,
53 .name == "benign"
54 )
55 )
56 )
57 or (
58 any(recipients.to,
59 strings.icontains(..scan.qr.url.url, .email.email)
60 )
61 )
62 )
63
64 // exclude google maps
65 and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
66 and not strings.starts_with(.scan.qr.url.url, 'https://maps.app.goo.gl')
67 )
68
69 // the QR code url is a bing open redirect
70 or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
71 or (
72
73 // usap-dc open redirect
74 .scan.qr.url.domain.root_domain == "usap-dc.org"
75 and .scan.qr.url.path =~ "/tracker"
76 and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
77 )
78 )
79 )
80 )
81 )
82 and (
83 (
84 profile.by_sender().prevalence in ("new", "outlier")
85 and not profile.by_sender().solicited
86 )
87 or (
88 profile.by_sender().any_messages_malicious_or_spam
89 and not profile.by_sender().any_false_positives
90 )
91 )
92
93 // negate highly trusted sender domains unless they fail DMARC authentication
94 and (
95 (
96 sender.email.domain.root_domain in $high_trust_sender_root_domains
97 and not headers.auth_summary.dmarc.pass
98 )
99 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
100 )
101
102attack_types:
103 - "Credential Phishing"
104tactics_and_techniques:
105 - "QR code"
106 - "Social engineering"
107detection_methods:
108 - "Computer Vision"
109 - "Header analysis"
110 - "Natural Language Understanding"
111 - "QR code analysis"
112 - "Sender analysis"
113 - "URL analysis"
114 - "URL screenshot"
115id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"