Compensation review with QR code in attached EML
Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.
Sublime rule (View on GitHub)
1name: "Compensation review with QR code in attached EML"
2description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // the subject contains pay related items
9 and (
10 strings.icontains(subject.subject, 'salary')
11 or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
12 or strings.icontains(subject.subject, 'remuneration')
13 or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
14 or strings.icontains(subject.subject, 'bonus')
15 or strings.icontains(subject.subject, 'incentive')
16 or strings.icontains(subject.subject, 'merit')
17 or strings.icontains(subject.subject, 'handbook')
18 or strings.icontains(subject.subject, 'benefits')
19 )
20 // subjects include review/updates/changes
21 and (
22 strings.icontains(subject.subject, 'review')
23 or strings.icontains(subject.subject, 'evaluation')
24 or regex.icontains(subject.subject, 'eval\b')
25 or strings.icontains(subject.subject, 'assessment')
26 or strings.icontains(subject.subject, 'appraisal')
27 or strings.icontains(subject.subject, 'feedback')
28 or strings.icontains(subject.subject, 'performance')
29 or strings.icontains(subject.subject, 'adjustment')
30 or strings.icontains(subject.subject, 'statement')
31 or strings.icontains(subject.subject, 'increase')
32 or strings.icontains(subject.subject, 'raise')
33 or strings.icontains(subject.subject, 'change')
34 or strings.icontains(subject.subject, 'modification')
35 or strings.icontains(subject.subject, 'distribution')
36 or strings.icontains(subject.subject, 'Disbursement')
37 or regex.icontains(subject.subject, 'revis(?:ed|ion)')
38 or regex.icontains(subject.subject, 'amend(?:ed|ment)')
39 or strings.icontains(subject.subject, 'update')
40 )
41 and any(filter(attachments,
42 .content_type == "message/rfc822" or .file_extension in ('eml')
43 ),
44 // inspect attachments in nested EML
45 any(file.parse_eml(.).attachments,
46 any(file.explode(.),
47 (
48 regex.icontains(.scan.ocr.raw, 'scan|camera')
49 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
50 )
51 or .scan.qr.type == "url" and .scan.qr.url.domain.valid
52 )
53 )
54 // inspect nested EML in body.current_thread
55 or (
56 regex.icontains(file.parse_eml(.).body.current_thread.text,
57 'scan|camera'
58 )
59 and regex.icontains(file.parse_eml(.).body.current_thread.text,
60 '\bQR\b|Q\.R\.|barcode'
61 )
62 )
63 // or there is a QR code found within the body of the nested body
64 or (
65 beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).found
66 and any(beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)
67 ).items,
68 .type == "url" and .url.domain.valid
69 )
70 )
71 )
72
73 // negate instances where proofpoint sends a review of a reported message via analyzer
74 and not (
75 sender.email.email == "analyzer@analyzer.securityeducation.com"
76 and any(headers.domains, .root_domain == "pphosted.com")
77 and headers.auth_summary.spf.pass
78 and headers.auth_summary.dmarc.pass
79 )
80attack_types:
81 - "Credential Phishing"
82tactics_and_techniques:
83 - "QR code"
84 - "Social engineering"
85detection_methods:
86 - "Computer Vision"
87 - "Content analysis"
88 - "Optical Character Recognition"
89 - "QR code analysis"
90id: "98a2f03c-4bec-556d-af84-709d41819877"