Attachment: QR code with credential phishing indicators

 1name: "Attachment: QR code with credential phishing indicators"
 2description: |
 3    Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded  URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more. 
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and 1 <= length(attachments) < 3
 9  
10  // Inspects image attachments for QR codes
11  and any(attachments,
12          (.file_type in $file_types_images or .file_type == "pdf")
13          and (
14            any(file.explode(.),
15                .scan.qr.type == "url"
16                and not .scan.qr.url.domain.domain == "geico.app.link"
17                and (
18                  // pass the QR URL to LinkAnalysis
19                  any([ml.link_analysis(.scan.qr.url)],
20                      .credphish.disposition == "phishing"
21  
22                      // any routing traverses via $suspicious_tld list
23                      or any(.redirect_history, .domain.tld in $suspicious_tlds)
24  
25                      // effective destination in $suspicious_tld list
26                      or .effective_url.domain.tld in $suspicious_tlds
27  
28                      // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
29                      or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
30  
31                      // or any files downloaded are zips or executables
32                      or any(.files_downloaded,
33                             .file_extension in $file_extensions_common_archives
34                             or .file_extension in $file_extensions_executables
35                      )
36                  )
37                  or (
38  
39                    // or the QR code's root domain is a url_shortener
40                    .scan.qr.url.domain.root_domain in $url_shorteners
41  
42                    // exclude google maps
43                    and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
44                    and not strings.starts_with(.scan.qr.url.url, 'https://maps.app.goo.gl')
45                  )
46  
47                  // the QR code url is a bing open redirect
48                  or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
49                  or (
50  
51                    // usap-dc open redirect
52                    .scan.qr.url.domain.root_domain == "usap-dc.org"
53                    and .scan.qr.url.path =~ "/tracker"
54                    and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
55                  )
56                )
57            )
58          )
59  )
60  and (
61    (
62      profile.by_sender().prevalence in ("new", "outlier")
63      and not profile.by_sender().solicited
64    )
65    or (
66      profile.by_sender().any_messages_malicious_or_spam
67      and not profile.by_sender().any_false_positives
68    )
69  )
70
71  // negate highly trusted sender domains unless they fail DMARC authentication
72  and (
73    (
74      sender.email.domain.root_domain in $high_trust_sender_root_domains
75      and not headers.auth_summary.dmarc.pass
76    )
77    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
78  )  
79
80attack_types:
81  - "Credential Phishing"
82tactics_and_techniques:
83  - "QR code"
84  - "Social engineering"
85detection_methods:
86  - "Computer Vision"
87  - "Header analysis"
88  - "Natural Language Understanding"
89  - "QR code analysis"
90  - "Sender analysis"
91  - "URL analysis"
92  - "URL screenshot"
93id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"