Attachment: QR code with credential phishing indicators
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
Sublime rule (View on GitHub)
1name: "Attachment: QR code with credential phishing indicators"
2description: |
3 Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and 1 <= length(attachments) < 3
9
10 // Inspects image attachments for QR codes
11 and any(attachments,
12 (.file_type in $file_types_images or .file_type == "pdf")
13 and (
14 any(file.explode(.),
15 .scan.qr.type == "url"
16 and (
17 // pass the QR URL to LinkAnalysis
18 any([beta.linkanalysis(.scan.qr.url)],
19 .credphish.disposition == "phishing"
20
21 // any routing traverses via $suspicious_tld list
22 or any(.redirect_history, .domain.tld in $suspicious_tlds)
23
24 // effective destination in $suspicious_tld list
25 or .effective_url.domain.tld in $suspicious_tlds
26
27 // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
28 or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
29
30 // or any files downloaded are zips or executables
31 or any(.files_downloaded,
32 .file_extension in $file_extensions_common_archives
33 or .file_extension in $file_extensions_executables
34 )
35 )
36 or (
37
38 // or the QR code's root domain is a url_shortener
39 .scan.qr.url.domain.root_domain in $url_shorteners
40
41 // exclude google maps
42 and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
43 )
44
45 // the QR code url is a bing open redirect
46 or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
47 or (
48
49 // usap-dc open redirect
50 .scan.qr.url.domain.root_domain == "usap-dc.org"
51 and .scan.qr.url.path =~ "/tracker"
52 and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
53 )
54 )
55 )
56 )
57 )
58 and (
59 profile.by_sender().prevalence in ("new", "outlier")
60 or (
61 profile.by_sender().any_messages_malicious_or_spam
62 and not profile.by_sender().any_false_positives
63 )
64 )
65
66attack_types:
67 - "Credential Phishing"
68tactics_and_techniques:
69 - "QR code"
70 - "Social engineering"
71detection_methods:
72 - "Computer Vision"
73 - "Header analysis"
74 - "Natural Language Understanding"
75 - "QR code analysis"
76 - "Sender analysis"
77 - "URL analysis"
78 - "URL screenshot"
79id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"