Attachment: SVG files with evasion elements
This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, hyperlinks, QR codes, or filenames that match recipient information. Limited to three attachments. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.
Sublime rule (View on GitHub)
1name: "Attachment: SVG files with evasion elements"
2description: "This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, hyperlinks, QR codes, or filenames that match recipient information. Limited to three attachments. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) < 4
8 and any(attachments,
9 (
10 .file_extension == "svg"
11 or .content_type in ("image/svg+xml")
12 or .file_type == "svg"
13 )
14 and any(file.explode(.),
15 any(.scan.xml.tags, . == "circle")
16 and 1 of (
17 any(.scan.xml.tags, . in ("image", "a")),
18 .scan.qr.data is not null,
19 any(recipients.to,
20 strings.icontains(..file_name, .email.local_part)
21 ),
22 any(recipients.to,
23 strings.icontains(..file_name, .email.domain.sld)
24 )
25 )
26 )
27 )
28tags:
29 - "Attack surface reduction"
30attack_types:
31 - "Malware/Ransomware"
32 - "Credential Phishing"
33tactics_and_techniques:
34 - "QR code"
35 - "Image as content"
36 - "Evasion"
37detection_methods:
38 - "File analysis"
39 - "XML analysis"
40 - "QR code analysis"
41 - "Sender analysis"
42id: "5d2dbb60-d4bd-5231-bc3e-712e1cda865a"