Attachment: QR code with encoded recipient targeting and redirect indicators

calendar Jan 30, 2026  ·
Share on: linkedin copy

Detects QR codes in attachments that contain the recipient's email address (either plaintext or base64 encoded) and redirect through suspicious URI structures commonly associated with Kratos/SneakyLog redirection services.

Sublime rule (View on GitHub)

 1name: "Attachment: QR code with encoded recipient targeting and redirect indicators"
 2description: "Detects QR codes in attachments that contain the recipient's email address (either plaintext or base64 encoded) and redirect through suspicious URI structures commonly associated with Kratos/SneakyLog redirection services."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // QR code detection in attachments
 8  and any(attachments,
 9          (
10            // Office documents
11            .file_extension in $file_extensions_macros
12            and any(file.explode(.),
13                    .scan.qr.type == "url"
14                    // QR code URL contains recipient's email (targeting indicator)
15                    and any(recipients.to,
16                            .email.domain.valid
17                            and (
18                              // Plaintext email address in URL
19                              strings.icontains(..scan.qr.url.url, .email.email)
20                              // OR base64 encoded email address
21                              or any(strings.scan_base64(..scan.qr.url.url,
22                                                         format="url",
23                                                         ignore_padding=true
24                                     ),
25                                     strings.icontains(., ..email.email)
26                              )
27                            )
28                    )
29                    // URI Struct for Common Kratos/SneakyLog Redir
30                    and regex.contains(.scan.qr.url.url,
31                                       '\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
32                    )
33            )
34          )
35          or (
36            // pdf or images
37            (
38              .file_type == "pdf" or .file_type in $file_types_images
39            )
40            //
41            // This rule makes use of a beta feature and is subject to change without notice
42            // using the beta feature in custom rules is not suggested until it has been formally released
43            //
44            and any(beta.scan_qr(.).items,
45                    .type is not null
46                    and regex.contains(.url.url,
47                                       '\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
48                    )
49            )
50          )
51  )  
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "QR code"
56  - "Evasion"
57  - "Image as content"
58  - "Open redirect"
59detection_methods:
60  - "Archive analysis"
61  - "File analysis"
62  - "QR code analysis"
63  - "URL analysis"
64id: "5d51e565-ea18-501e-87a6-37cdda705631"
to-top