Attachment: QR code link with base64-encoded recipient address

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

Sublime rule (View on GitHub)

 1name: "Attachment: QR code link with base64-encoded recipient address"
 2description: "Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and 1 of (
 8    any(ml.nlu_classifier(subject.subject).intents,
 9        .name == "cred_theft" and .confidence == "high"
10    ),
11    body.current_thread.text is null,
12    any($org_slds, strings.icontains(sender.display_name, .))
13  )
14  and any(attachments,
15          (
16            .file_type in $file_types_images
17            or .file_extension in $file_extensions_macros
18            or .file_type == "pdf"
19          )
20          and any(file.explode(.),
21                  any(recipients.to,
22                      .email.domain.valid
23                      and any(beta.scan_base64(..scan.qr.url.url,
24                                               format="url",
25                                               ignore_padding=true
26                              ),
27                              strings.icontains(., ..email.email)
28                      )
29                  )
30          )
31  )
32  and not profile.by_sender_email().any_messages_benign
33  and not profile.by_sender_email().solicited  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "QR code"
38  - "Image as content"
39  - "Social engineering"
40  - "Evasion"
41  - "PDF"
42  - "Macros"
43detection_methods:
44  - "Computer Vision"
45  - "File analysis"
46  - "Natural Language Understanding"
47  - "QR code analysis"
48  - "Sender analysis"
49id: "927a0c1a-f136-56db-acfd-df47db6ec246"
to-top