Link: QR code with phishing disposition in img or pdf
This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.
Sublime rule (View on GitHub)
1name: "Link: QR code with phishing disposition in img or pdf"
2description: "This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) < 10
8 and any(attachments,
9 (.file_type in $file_types_images or .file_type == "pdf")
10 and any(file.explode(.),
11 .scan.qr.type == "url"
12
13 // linkanalysis phishing disposition
14 and any([ml.link_analysis(.scan.qr.url)],
15 .credphish.disposition == "phishing"
16 )
17 and .scan.qr.url.domain.root_domain not in $org_domains
18 )
19 )
20 and (
21 not profile.by_sender().solicited
22 or (
23 profile.by_sender().any_messages_malicious_or_spam
24 and not profile.by_sender().any_false_positives
25 )
26 )
27
28 // negate highly trusted sender domains unless they fail DMARC authentication
29 and (
30 (
31 sender.email.domain.root_domain in $high_trust_sender_root_domains
32 and not headers.auth_summary.dmarc.pass
33 )
34 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35 )
36 and not profile.by_sender().any_false_positives
37attack_types:
38 - "Credential Phishing"
39tactics_and_techniques:
40 - "QR code"
41 - "Social engineering"
42detection_methods:
43 - "Content analysis"
44 - "Computer Vision"
45 - "QR code analysis"
46 - "Sender analysis"
47 - "URL analysis"
48id: "8e8949f6-3561-513f-8cde-254124e10cde"