Attachment: QR code with credential phishing indicators

 1name: "Attachment: QR code with credential phishing indicators"
 2description: |
 3    Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded  URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more. 
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and 1 <= length(attachments) < 3
 9  
10  // Inspects image attachments for QR codes
11  and any(attachments,
12          (.file_type in $file_types_images or .file_type == "pdf")
13          and (
14            any(file.explode(.),
15                .scan.qr.type == "url"
16                and (
17                  // pass the QR URL to LinkAnalysis
18                  any([ml.link_analysis(.scan.qr.url)],
19                      .credphish.disposition == "phishing"
20  
21                      // any routing traverses via $suspicious_tld list
22                      or any(.redirect_history, .domain.tld in $suspicious_tlds)
23  
24                      // effective destination in $suspicious_tld list
25                      or .effective_url.domain.tld in $suspicious_tlds
26  
27                      // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
28                      or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
29  
30                      // or any files downloaded are zips or executables
31                      or any(.files_downloaded,
32                             .file_extension in $file_extensions_common_archives
33                             or .file_extension in $file_extensions_executables
34                      )
35                  )
36                  or (
37  
38                    // or the QR code's root domain is a url_shortener
39                    .scan.qr.url.domain.root_domain in $url_shorteners
40  
41                    // exclude google maps
42                    and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
43                    and not strings.starts_with(.scan.qr.url.url, 'https://maps.app.goo.gl')
44                  )
45  
46                  // the QR code url is a bing open redirect
47                  or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
48                  or (
49  
50                    // usap-dc open redirect
51                    .scan.qr.url.domain.root_domain == "usap-dc.org"
52                    and .scan.qr.url.path =~ "/tracker"
53                    and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
54                  )
55                )
56            )
57          )
58  )
59  and (
60    (
61      profile.by_sender().prevalence in ("new", "outlier")
62      and not profile.by_sender().solicited
63    )
64    or (
65      profile.by_sender().any_messages_malicious_or_spam
66      and not profile.by_sender().any_false_positives
67    )
68  )
69
70  // negate highly trusted sender domains unless they fail DMARC authentication
71  and (
72    (
73      sender.email.domain.root_domain in $high_trust_sender_root_domains
74      and not headers.auth_summary.dmarc.pass
75    )
76    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
77  )  
78
79attack_types:
80  - "Credential Phishing"
81tactics_and_techniques:
82  - "QR code"
83  - "Social engineering"
84detection_methods:
85  - "Computer Vision"
86  - "Header analysis"
87  - "Natural Language Understanding"
88  - "QR code analysis"
89  - "Sender analysis"
90  - "URL analysis"
91  - "URL screenshot"
92id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"