Attachment: QR Code With Userinfo Portion
Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.
Sublime rule (View on GitHub)
1name: "Attachment: QR Code With Userinfo Portion"
2description: "Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_type in $file_types_images
10 or .file_extension in $file_extensions_macros
11 or .file_type == "pdf"
12 )
13 and any(file.explode(.),
14 (
15 .scan.qr.url.username is not null
16 or .scan.qr.url.password is not null
17 // keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
18 or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
19 .scan.qr.url.url
20 ),
21 'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
22 )
23 )
24 and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
25 and not any(recipients.to,
26 .email.domain.root_domain == ..scan.qr.url.domain.root_domain
27 )
28 and not any(recipients.cc,
29 .email.domain.root_domain == ..scan.qr.url.domain.root_domain
30 )
31 )
32 )
33 and not profile.by_sender_email().any_false_positives
34 and not profile.by_sender_email().solicited
35
36tags:
37 - "Attack surface reduction"
38attack_types:
39 - "Credential Phishing"
40 - "Malware/Ransomware"
41tactics_and_techniques:
42 - "Evasion"
43 - "Image as content"
44 - "PDF"
45 - "QR code"
46detection_methods:
47 - "QR code analysis"
48 - "File analysis"
49 - "Sender analysis"
50id: "9d62cc5c-787c-5f57-93be-0ee96dc73d3e"