Compensation review with QR code in attached EML
Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.
Sublime rule (View on GitHub)
1name: "Compensation review with QR code in attached EML"
2description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // the subject contains pay related items
9 and (
10 strings.icontains(subject.subject, 'salary')
11 or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
12 or strings.icontains(subject.subject, 'remuneration')
13 or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
14 or strings.icontains(subject.subject, 'bonus')
15 or strings.icontains(subject.subject, 'incentive')
16 or strings.icontains(subject.subject, 'merit')
17 or strings.icontains(subject.subject, 'handbook')
18 or strings.icontains(subject.subject, 'benefits')
19 )
20 // subjects include review/updates/changes
21 and (
22 strings.icontains(subject.subject, 'review')
23 or strings.icontains(subject.subject, 'Summary')
24 or strings.icontains(subject.subject, 'evaluation')
25 or regex.icontains(subject.subject, 'eval\b')
26 or strings.icontains(subject.subject, 'assessment')
27 or strings.icontains(subject.subject, 'appraisal')
28 or strings.icontains(subject.subject, 'feedback')
29 or strings.icontains(subject.subject, 'performance')
30 or strings.icontains(subject.subject, 'adjustment')
31 or strings.icontains(subject.subject, 'statement')
32 or strings.icontains(subject.subject, 'increase')
33 or strings.icontains(subject.subject, 'raise')
34 or strings.icontains(subject.subject, 'change')
35 or strings.icontains(subject.subject, 'modification')
36 or strings.icontains(subject.subject, 'distribution')
37 or strings.icontains(subject.subject, 'Disbursement')
38 or regex.icontains(subject.subject, 'revis(?:ed|ion)')
39 or regex.icontains(subject.subject, 'amend(?:ed|ment)')
40 or strings.icontains(subject.subject, 'update')
41 )
42 and any(filter(attachments,
43 .content_type == "message/rfc822" or .file_extension in ('eml')
44 ),
45 // inspect attachments in nested EML
46 any(file.parse_eml(.).attachments,
47 any(file.explode(.),
48 (
49 regex.icontains(.scan.ocr.raw, 'scan|camera')
50 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
51 )
52 or .scan.qr.type == "url" and .scan.qr.url.domain.valid
53 )
54 )
55 // inspect nested EML in body.current_thread
56 or (
57 regex.icontains(file.parse_eml(.).body.current_thread.text,
58 'scan|camera'
59 )
60 and regex.icontains(file.parse_eml(.).body.current_thread.text,
61 '\bQR\b|Q\.R\.|barcode'
62 )
63 )
64 // or there is a QR code found within the body of the nested body
65 or (
66 beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).found
67 and any(beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)
68 ).items,
69 .type == "url" and .url.domain.valid
70 )
71 )
72 )
73
74 // negate instances where proofpoint sends a review of a reported message via analyzer
75 and not (
76 sender.email.email == "analyzer@analyzer.securityeducation.com"
77 and any(headers.domains, .root_domain == "pphosted.com")
78 and headers.auth_summary.spf.pass
79 and headers.auth_summary.dmarc.pass
80 )
81attack_types:
82 - "Credential Phishing"
83tactics_and_techniques:
84 - "QR code"
85 - "Social engineering"
86detection_methods:
87 - "Computer Vision"
88 - "Content analysis"
89 - "Optical Character Recognition"
90 - "QR code analysis"
91id: "98a2f03c-4bec-556d-af84-709d41819877"