Compensation review with QR code in attached EML
Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.
Sublime rule (View on GitHub)
1name: "Compensation review with QR code in attached EML"
2description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // the subject contains pay related items
9 and (
10 strings.icontains(subject.subject, 'salary')
11 or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
12 or strings.icontains(subject.subject, 'remuneration')
13 or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
14 or strings.icontains(subject.subject, 'bonus')
15 or strings.icontains(subject.subject, 'incentive')
16 or strings.icontains(subject.subject, 'merit')
17 or strings.icontains(subject.subject, 'handbook')
18 or strings.icontains(subject.subject, 'benefits')
19 )
20 // subjects include review/updates/changes
21 and (
22 strings.icontains(subject.subject, 'review')
23 or strings.icontains(subject.subject, 'evaluation')
24 or regex.icontains(subject.subject, 'eval\b')
25 or strings.icontains(subject.subject, 'assessment')
26 or strings.icontains(subject.subject, 'appraisal')
27 or strings.icontains(subject.subject, 'feedback')
28 or strings.icontains(subject.subject, 'performance')
29 or strings.icontains(subject.subject, 'adjustment')
30 or strings.icontains(subject.subject, 'statement')
31 or strings.icontains(subject.subject, 'increase')
32 or strings.icontains(subject.subject, 'raise')
33 or strings.icontains(subject.subject, 'change')
34 or strings.icontains(subject.subject, 'modification')
35 or strings.icontains(subject.subject, 'distribution')
36 or regex.icontains(subject.subject, 'revis(?:ed|ion)')
37 or regex.icontains(subject.subject, 'amend(?:ed|ment)')
38 or strings.icontains(subject.subject, 'update')
39 )
40 and any(filter(attachments, .content_type == "message/rfc822"),
41 any(file.parse_eml(.).attachments,
42 any(file.explode(.),
43 (
44 regex.icontains(.scan.ocr.raw, 'scan|camera')
45 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
46 )
47 or .scan.qr.type == "url" and .scan.qr.url.domain.valid
48 )
49 )
50 )
51attack_types:
52 - "Credential Phishing"
53tactics_and_techniques:
54 - "QR code"
55 - "Social engineering"
56detection_methods:
57 - "Computer Vision"
58 - "Content analysis"
59 - "Optical Character Recognition"
60 - "QR code analysis"
61id: "98a2f03c-4bec-556d-af84-709d41819877"