Compensation review with QR code in attached EML

calendar Oct 4, 2025  ·
Share on: linkedin copy

Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.

Sublime rule (View on GitHub)

 1name: "Compensation review with QR code in attached EML"
 2description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // the subject contains pay related items
 9  and (
10    strings.icontains(subject.subject, 'salary')
11    or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
12    or strings.icontains(subject.subject, 'remuneration')
13    or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
14    or strings.icontains(subject.subject, 'bonus')
15    or strings.icontains(subject.subject, 'incentive')
16    or strings.icontains(subject.subject, 'merit')
17    or strings.icontains(subject.subject, 'handbook')
18    or strings.icontains(subject.subject, 'benefits')
19  )
20  // subjects include review/updates/changes
21  and (
22    strings.icontains(subject.subject, 'review')
23    or strings.icontains(subject.subject, 'evaluation')
24    or regex.icontains(subject.subject, 'eval\b')
25    or strings.icontains(subject.subject, 'assessment')
26    or strings.icontains(subject.subject, 'appraisal')
27    or strings.icontains(subject.subject, 'feedback')
28    or strings.icontains(subject.subject, 'performance')
29    or strings.icontains(subject.subject, 'adjustment')
30    or strings.icontains(subject.subject, 'statement')
31    or strings.icontains(subject.subject, 'increase')
32    or strings.icontains(subject.subject, 'raise')
33    or strings.icontains(subject.subject, 'change')
34    or strings.icontains(subject.subject, 'modification')
35    or strings.icontains(subject.subject, 'distribution')
36    or regex.icontains(subject.subject, 'revis(?:ed|ion)')
37    or regex.icontains(subject.subject, 'amend(?:ed|ment)')
38    or strings.icontains(subject.subject, 'update')
39  )
40  and any(filter(attachments, .content_type == "message/rfc822"),
41          any(file.parse_eml(.).attachments,
42              any(file.explode(.),
43                  (
44                    regex.icontains(.scan.ocr.raw, 'scan|camera')
45                    and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
46                  )
47                  or .scan.qr.type == "url" and .scan.qr.url.domain.valid
48              )
49          )
50  )
51  // negate instances where proofpoint sends a review of a reported message via analyzer 
52  and not (
53    sender.email.email == "analyzer@analyzer.securityeducation.com"
54    and any(headers.domains, .root_domain == "pphosted.com")
55    and headers.auth_summary.spf.pass
56    and headers.auth_summary.dmarc.pass
57  )   
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "QR code"
62  - "Social engineering"
63detection_methods:
64  - "Computer Vision"
65  - "Content analysis"
66  - "Optical Character Recognition"
67  - "QR code analysis"
68id: "98a2f03c-4bec-556d-af84-709d41819877"
to-top