Attachment: QR Code Link With Base64-Encoded Recipient Address

calendar Feb 25, 2025  ·
Share on: linkedin copy

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

Sublime rule (View on GitHub)

 1name: "Attachment: QR Code Link With Base64-Encoded Recipient Address"
 2description: "Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and 1 of (
 8    any(ml.nlu_classifier(subject.subject).intents,
 9        .name == "cred_theft" and .confidence == "high"
10    ),
11    body.current_thread.text is null,
12    any($org_slds, strings.icontains(sender.display_name, .))
13  )
14  and any(attachments,
15          (.file_type in $file_types_images or .file_extension in $file_extensions_macros or .file_type == "pdf")
16          and any(file.explode(.),
17                  any(recipients.to,
18                      .email.domain.valid
19                      and any(beta.scan_base64(..scan.qr.url.url, ignore_padding=true),
20                          strings.icontains(., ..email.email)
21                      )
22                  )
23          )
24  )
25  and not profile.by_sender_email().any_false_positives
26  and not profile.by_sender_email().solicited  
27
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "QR code"
32  - "Image as content"
33  - "Social engineering"
34  - "Evasion"
35  - "PDF"
36  - "Macros"
37detection_methods:
38  - "Computer Vision"
39  - "File analysis"
40  - "Natural Language Understanding"
41  - "QR code analysis"
42  - "Sender analysis"
43id: "927a0c1a-f136-56db-acfd-df47db6ec246"
to-top