Attachment: QR code with recipient targeting and special characters
Detects messages with QR code in attachments containing special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.
Sublime rule (View on GitHub)
1name: "Attachment: QR code with recipient targeting and special characters"
2description: "Detects messages with QR code in attachments containing special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(recipients.to) == 1
8 and recipients.to[0].email.domain.valid
9 and any(attachments,
10 any(file.explode(.),
11 // special char in the path
12 (
13 strings.icontains(.scan.qr.url.path, '!')
14 or strings.icontains(.scan.qr.url.path, '@')
15 )
16 // a single path
17 and strings.count(.scan.qr.url.path, '/') == 2
18 and (
19 strings.icontains(.scan.qr.url.path, '/$')
20 or strings.icontains(.scan.qr.url.path, '/*')
21 )
22 and (
23 (
24 strings.icontains(.scan.qr.url.path,
25 recipients.to[0].email.email
26 )
27 or strings.icontains(.scan.qr.url.fragment,
28 recipients.to[0].email.email
29 )
30 or any(strings.scan_base64(.scan.qr.url.path,
31 ignore_padding=true
32 ),
33 strings.icontains(., recipients.to[0].email.email)
34 )
35 or any(strings.scan_base64(.scan.qr.url.fragment,
36 ignore_padding=true
37 ),
38 strings.icontains(., recipients.to[0].email.email)
39 )
40 )
41 )
42 )
43 )
44attack_types:
45 - "Credential Phishing"
46tactics_and_techniques:
47 - "QR code"
48 - "Social engineering"
49 - "Evasion"
50detection_methods:
51 - "File analysis"
52 - "QR code analysis"
53 - "URL analysis"
54 - "Computer Vision"
55id: "fc9e1c09-4691-5cde-94d1-ccd953f1b63a"