Attachment: QR code with userinfo portion

calendar Apr 23, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.

Sublime rule (View on GitHub)

 1name: "Attachment: QR code with userinfo portion"
 2description: "Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_type in $file_types_images
10            or .file_extension in $file_extensions_macros
11            or .file_type == "pdf"
12          )
13          and any(file.explode(.),
14                  (
15                    .scan.qr.url.username is not null
16                    or .scan.qr.url.password is not null
17                    // keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
18                    or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
19                                                .scan.qr.url.url
20                                       ),
21                                       'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
22                    )
23                  )
24                  and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
25                  and not any(recipients.to,
26                              .email.domain.root_domain == ..scan.qr.url.domain.root_domain
27                  )
28                  and not any(recipients.cc,
29                              .email.domain.root_domain == ..scan.qr.url.domain.root_domain
30                  )
31                  // an error to strings.parse_email returns null for the full object
32                  // this cehck ensures that the url is not a valid email address
33                  and strings.parse_email(.scan.qr.url.url).email is null
34          )
35  )
36  and not profile.by_sender_email().any_messages_benign
37  and not profile.by_sender_email().solicited  
38tags:
39  - "Attack surface reduction"
40attack_types:
41  - "Credential Phishing"
42  - "Malware/Ransomware"
43tactics_and_techniques:
44  - "Evasion"
45  - "Image as content"
46  - "PDF"
47  - "QR code"
48detection_methods:
49  - "QR code analysis"
50  - "File analysis"
51  - "Sender analysis"
52id: "9d62cc5c-787c-5f57-93be-0ee96dc73d3e"

Related rules

to-top