Link: QR code in EML attachment with credential phishing indicators
This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect.
Sublime rule (View on GitHub)
1name: "Link: QR code in EML attachment with credential phishing indicators"
2description: "This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect. "
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 1
8 and any(attachments,
9 (.content_type == "message/rfc822" or .file_extension =~ "eml")
10 // credential theft language in the attached EML
11 and any(file.explode(.),
12 .depth > 0
13 and .scan.qr.type == "url"
14
15 // linkanalysis phishing disposition
16 and (
17 ml.link_analysis(.scan.qr.url).credphish.disposition == "phishing"
18 or (
19 strings.ilike(ml.link_analysis(.scan.qr.url).final_dom.display_text,
20 "*robot*",
21 "*session check*",
22 "*verify*",
23 "*human*"
24 )
25 and length(ml.link_analysis(.scan.qr.url).final_dom.display_text
26 ) < 250
27 )
28 or any(ml.link_analysis(.scan.qr.url).unique_urls_accessed,
29 .domain.domain == "challenges.cloudflare.com"
30 and strings.icontains(.path, "turnstile")
31 )
32 or any(.scan.qr.url.rewrite.encoders,
33 strings.icontains(., "open_redirect")
34 )
35 )
36 and .scan.qr.url.domain.root_domain not in $org_domains
37 )
38 )
39
40attack_types:
41 - "Credential Phishing"
42tactics_and_techniques:
43 - "Evasion"
44 - "Open redirect"
45 - "QR code"
46detection_methods:
47 - "Computer Vision"
48 - "Content analysis"
49 - "File analysis"
50 - "QR code analysis"
51id: "9908ed3a-4c01-5a8d-82f9-78794b367c6e"