Compensation Review With QR Code in Attached EML

calendar Apr 3, 2025  ·
Share on: linkedin copy

Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.

Sublime rule (View on GitHub)

 1name: "Compensation Review With QR Code in Attached EML"
 2description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // the subject contains pay related items
 9  and (
10    strings.icontains(subject.subject, 'salary')
11    or strings.icontains(subject.subject, 'compensation')
12    or regex.icontains(subject.subject, 'comp\b')
13    or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
14    or strings.icontains(subject.subject, 'bonus')
15    or strings.icontains(subject.subject, 'incentive')
16    or strings.icontains(subject.subject, 'merit')
17    or strings.icontains(subject.subject, 'handbook')
18    or strings.icontains(subject.subject, 'benefits')
19  )
20  // subjects include review/updates/changes
21  and (
22    strings.icontains(subject.subject, 'review')
23    or strings.icontains(subject.subject, 'evaluation')
24    or regex.icontains(subject.subject, 'eval\b')
25    or strings.icontains(subject.subject, 'assessment')
26    or strings.icontains(subject.subject, 'appraisal')
27    or strings.icontains(subject.subject, 'feedback')
28    or strings.icontains(subject.subject, 'performance')
29    or strings.icontains(subject.subject, 'adjustment')
30    or strings.icontains(subject.subject, 'increase')
31    or strings.icontains(subject.subject, 'raise')
32    or strings.icontains(subject.subject, 'change')
33    or strings.icontains(subject.subject, 'modification')
34    or strings.icontains(subject.subject, 'distribution')
35    or regex.icontains(subject.subject, 'revis(?:ed|ion)')
36    or regex.icontains(subject.subject, 'amend(?:ed|ment)')
37    or regex.icontains(subject.subject, 'update(?:d| to)')
38  )
39  and any(filter(attachments, .content_type == "message/rfc822"),
40          any(file.parse_eml(.).attachments,
41              any(file.explode(.),
42                  (
43                    regex.icontains(.scan.ocr.raw, 'scan|camera')
44                    and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
45                  )
46                  or .scan.qr.type == "url" and .scan.qr.url.domain.valid
47              )
48          )
49  )  
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "QR code"
54  - "Social engineering"
55detection_methods:
56  - "Computer Vision"
57  - "Content analysis"
58  - "Optical Character Recognition"
59  - "QR code analysis"
60id: "98a2f03c-4bec-556d-af84-709d41819877"
to-top