Attachment: QR code with credential phishing indicators

Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.

Sublime rule (View on GitHub)

 1name: "Attachment: QR code with credential phishing indicators"
 2description: |
 3    Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded  URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more. 
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and 1 <= length(attachments) < 3
 9  
10  // Inspects image attachments for QR codes
11  and any(attachments,
12          (.file_type in $file_types_images or .file_type == "pdf")
13          and (
14            any(file.explode(.),
15                .scan.qr.type == "url"
16                and (
17                  // pass the QR URL to LinkAnalysis
18                  any([beta.linkanalysis(.scan.qr.url)],
19                      .credphish.disposition == "phishing"
20  
21                      // any routing traverses via $suspicious_tld list
22                      or any(.redirect_history, .domain.tld in $suspicious_tlds)
23  
24                      // effective destination in $suspicious_tld list
25                      or .effective_url.domain.tld in $suspicious_tlds
26  
27                      // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
28                      or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
29  
30                      // or any files downloaded are zips or executables
31                      or any(.files_downloaded,
32                             .file_extension in $file_extensions_common_archives
33                             or .file_extension in $file_extensions_executables
34                      )
35                  )
36                  or (
37  
38                    // or the QR code's root domain is a url_shortener
39                    .scan.qr.url.domain.root_domain in $url_shorteners
40  
41                    // exclude google maps
42                    and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
43                  )
44  
45                  // the QR code url is a bing open redirect
46                  or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
47                  or (
48  
49                    // usap-dc open redirect
50                    .scan.qr.url.domain.root_domain == "usap-dc.org"
51                    and .scan.qr.url.path =~ "/tracker"
52                    and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
53                  )
54                )
55            )
56          )
57  )
58  and (
59    profile.by_sender().prevalence in ("new", "outlier")
60    or (
61      profile.by_sender().any_messages_malicious_or_spam
62      and not profile.by_sender().any_false_positives
63    )
64  )  
65
66attack_types:
67  - "Credential Phishing"
68tactics_and_techniques:
69  - "QR code"
70  - "Social engineering"
71detection_methods:
72  - "Computer Vision"
73  - "Header analysis"
74  - "Natural Language Understanding"
75  - "QR code analysis"
76  - "Sender analysis"
77  - "URL analysis"
78  - "URL screenshot"
79id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"
to-top