Compensation review with QR code in attached EML

Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.

Sublime rule (View on GitHub)

 1name: "Compensation review with QR code in attached EML"
 2description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // the subject contains pay related items
 9  and (
10    strings.icontains(subject.subject, 'salary')
11    or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
12    or strings.icontains(subject.subject, 'remuneration')
13    or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
14    or strings.icontains(subject.subject, 'bonus')
15    or strings.icontains(subject.subject, 'incentive')
16    or strings.icontains(subject.subject, 'merit')
17    or strings.icontains(subject.subject, 'handbook')
18    or strings.icontains(subject.subject, 'benefits')
19  )
20  // subjects include review/updates/changes
21  and (
22    strings.icontains(subject.subject, 'review')
23    or strings.icontains(subject.subject, 'evaluation')
24    or regex.icontains(subject.subject, 'eval\b')
25    or strings.icontains(subject.subject, 'assessment')
26    or strings.icontains(subject.subject, 'appraisal')
27    or strings.icontains(subject.subject, 'feedback')
28    or strings.icontains(subject.subject, 'performance')
29    or strings.icontains(subject.subject, 'adjustment')
30    or strings.icontains(subject.subject, 'statement')
31    or strings.icontains(subject.subject, 'increase')
32    or strings.icontains(subject.subject, 'raise')
33    or strings.icontains(subject.subject, 'change')
34    or strings.icontains(subject.subject, 'modification')
35    or strings.icontains(subject.subject, 'distribution')
36    or regex.icontains(subject.subject, 'revis(?:ed|ion)')
37    or regex.icontains(subject.subject, 'amend(?:ed|ment)')
38    or strings.icontains(subject.subject, 'update')
39  )
40  and any(filter(attachments, .content_type == "message/rfc822"),
41          any(file.parse_eml(.).attachments,
42              any(file.explode(.),
43                  (
44                    regex.icontains(.scan.ocr.raw, 'scan|camera')
45                    and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
46                  )
47                  or .scan.qr.type == "url" and .scan.qr.url.domain.valid
48              )
49          )
50  )  
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "QR code"
55  - "Social engineering"
56detection_methods:
57  - "Computer Vision"
58  - "Content analysis"
59  - "Optical Character Recognition"
60  - "QR code analysis"
61id: "98a2f03c-4bec-556d-af84-709d41819877"
to-top