Link: QR code in EML attachment with credential phishing indicators

calendar Apr 25, 2024  ยท
Share on: linkedin copy

This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect.

Sublime rule (View on GitHub)

 1name: "Link: QR code in EML attachment with credential phishing indicators"
 2description: "This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect. "
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 1
 8  and any(attachments,
 9          (.content_type == "message/rfc822" or .file_extension =~ "eml")
10          // credential theft language in the attached EML
11          and any(file.explode(.),
12                  .depth > 0
13                  and .scan.qr.type == "url"
14  
15                  // linkanalysis phishing disposition
16                  and any([ml.link_analysis(.scan.qr.url)],
17                          .credphish.disposition == "phishing"
18                          or any(..scan.qr.url.rewrite.encoders,
19                                 strings.icontains(., "open_redirect")
20                          )
21                  )
22                  and .scan.qr.url.domain.root_domain not in $org_domains
23          )
24  )  
25
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Evasion"
30  - "Open redirect"
31  - "QR code"
32detection_methods:
33  - "Computer Vision"
34  - "Content analysis"
35  - "File analysis"
36  - "QR code analysis"
37
38id: "9908ed3a-4c01-5a8d-82f9-78794b367c6e"
to-top