Attachment: SVG Files With Evasion Elements
This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.
Sublime rule (View on GitHub)
1name: "Attachment: SVG Files With Evasion Elements"
2description: "This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) < 4
8 and any(attachments,
9 (.file_extension == "svg" or .content_type in ("image/svg+xml"))
10 and any(file.explode(.),
11 any(.scan.xml.tags, . == "circle")
12 and 1 of (
13 any(.scan.xml.tags, . == "image"),
14 .scan.qr.data is not null,
15 any(recipients.to,
16 strings.icontains(..file_name, .email.local_part)
17 ),
18 any(recipients.to,
19 strings.icontains(..file_name, .email.domain.sld)
20 )
21 )
22 )
23 )
24 and not profile.by_sender_email().any_false_positives
25 and not profile.by_sender_email().solicited
26tags:
27 - "Attack surface reduction"
28attack_types:
29 - "Malware/Ransomware"
30 - "Credential Phishing"
31tactics_and_techniques:
32 - "QR code"
33 - "Image as content"
34 - "Evasion"
35detection_methods:
36 - "File analysis"
37 - "XML analysis"
38 - "QR code analysis"
39 - "Sender analysis"
40id: "5d2dbb60-d4bd-5231-bc3e-712e1cda865a"