Link: QR code with phishing disposition in img or pdf

 1name: "Link: QR code with phishing disposition in img or pdf"
 2description: "This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) < 10
 8  and any(attachments,
 9          (.file_type in $file_types_images or .file_type == "pdf")
10          and any(file.explode(.),
11                  .scan.qr.type == "url"
12  
13                  // linkanalysis phishing disposition
14                  and any([ml.link_analysis(.scan.qr.url)],
15                          .credphish.disposition == "phishing"
16                  )
17                  and .scan.qr.url.domain.root_domain not in $org_domains
18          )
19  )
20  and (
21    not profile.by_sender_email().solicited
22    or not profile.by_sender_email().any_messages_benign
23    or (
24      profile.by_sender_email().any_messages_malicious_or_spam
25      and not profile.by_sender_email().any_messages_benign
26    )
27    or (
28      sender.email.domain.domain in $org_domains
29      and not coalesce(headers.auth_summary.dmarc.pass, false)
30    )
31  )
32  
33  // negate highly trusted sender domains unless they fail DMARC authentication
34  and (
35    (
36      sender.email.domain.root_domain in $high_trust_sender_root_domains
37      and not headers.auth_summary.dmarc.pass
38    )
39    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
40  )  
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "QR code"
45  - "Social engineering"
46detection_methods:
47  - "Content analysis"
48  - "Computer Vision"
49  - "QR code analysis"
50  - "Sender analysis"
51  - "URL analysis"
52id: "8e8949f6-3561-513f-8cde-254124e10cde"