Attachment: QR code link with base64-encoded recipient address
Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.
Sublime rule (View on GitHub)
1name: "Attachment: QR code link with base64-encoded recipient address"
2description: "Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and 1 of (
8 any(ml.nlu_classifier(subject.subject).intents,
9 .name == "cred_theft" and .confidence == "high"
10 ),
11 body.current_thread.text is null,
12 any($org_slds, strings.icontains(sender.display_name, .))
13 )
14 and any(attachments,
15 (
16 .file_type in $file_types_images
17 or .file_extension in $file_extensions_macros
18 or .file_type == "pdf"
19 )
20 and any(file.explode(.),
21 any(recipients.to,
22 .email.domain.valid
23 and any(beta.scan_base64(..scan.qr.url.url,
24 format="url",
25 ignore_padding=true
26 ),
27 strings.icontains(., ..email.email)
28 )
29 )
30 )
31 )
32 and not profile.by_sender_email().any_messages_benign
33 and not profile.by_sender_email().solicited
34attack_types:
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "QR code"
38 - "Image as content"
39 - "Social engineering"
40 - "Evasion"
41 - "PDF"
42 - "Macros"
43detection_methods:
44 - "Computer Vision"
45 - "File analysis"
46 - "Natural Language Understanding"
47 - "QR code analysis"
48 - "Sender analysis"
49id: "927a0c1a-f136-56db-acfd-df47db6ec246"