Attachment: QR code with credential phishing indicators
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
Sublime rule (View on GitHub)
1name: "Attachment: QR code with credential phishing indicators"
2description: |
3 Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and 1 <= length(attachments) < 3
9
10 // Inspects image attachments for QR codes
11 and any(attachments,
12 (.file_type in $file_types_images or .file_type == "pdf")
13 and (
14 any(file.explode(.),
15 .scan.qr.type == "url"
16 and not .scan.qr.url.domain.domain == "geico.app.link"
17 and (
18 // pass the QR URL to LinkAnalysis
19 any([ml.link_analysis(.scan.qr.url)],
20 .credphish.disposition == "phishing"
21
22 // any routing traverses via $suspicious_tld list
23 or any(.redirect_history, .domain.tld in $suspicious_tlds)
24
25 // effective destination in $suspicious_tld list
26 or .effective_url.domain.tld in $suspicious_tlds
27
28 // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
29 or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
30
31 // or any files downloaded are zips or executables
32 or any(.files_downloaded,
33 .file_extension in $file_extensions_common_archives
34 or .file_extension in $file_extensions_executables
35 )
36 )
37 or (
38
39 // or the QR code's root domain is a url_shortener
40 .scan.qr.url.domain.root_domain in $url_shorteners
41
42 // exclude google maps
43 and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
44 and not strings.starts_with(.scan.qr.url.url, 'https://maps.app.goo.gl')
45 )
46
47 // the QR code url is a bing open redirect
48 or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
49 or (
50
51 // usap-dc open redirect
52 .scan.qr.url.domain.root_domain == "usap-dc.org"
53 and .scan.qr.url.path =~ "/tracker"
54 and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
55 )
56 )
57 )
58 )
59 )
60 and (
61 (
62 profile.by_sender().prevalence in ("new", "outlier")
63 and not profile.by_sender().solicited
64 )
65 or (
66 profile.by_sender().any_messages_malicious_or_spam
67 and not profile.by_sender().any_false_positives
68 )
69 )
70
71 // negate highly trusted sender domains unless they fail DMARC authentication
72 and (
73 (
74 sender.email.domain.root_domain in $high_trust_sender_root_domains
75 and not headers.auth_summary.dmarc.pass
76 )
77 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
78 )
79
80attack_types:
81 - "Credential Phishing"
82tactics_and_techniques:
83 - "QR code"
84 - "Social engineering"
85detection_methods:
86 - "Computer Vision"
87 - "Header analysis"
88 - "Natural Language Understanding"
89 - "QR code analysis"
90 - "Sender analysis"
91 - "URL analysis"
92 - "URL screenshot"
93id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"