Link: QR code with phishing disposition in img or pdf

 1name: "Link: QR code with phishing disposition in img or pdf"
 2description: "This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) < 10
 8  and any(attachments,
 9          (.file_type in $file_types_images or .file_type == "pdf")
10          and any(file.explode(.),
11                  .scan.qr.type == "url"
12  
13                  // linkanalysis phishing disposition
14                  and any([ml.link_analysis(.scan.qr.url)],
15                          .credphish.disposition == "phishing"
16                  )
17                  and .scan.qr.url.domain.root_domain not in $org_domains
18          )
19  )
20  and (
21    not profile.by_sender().solicited
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_false_positives
25    )
26  )
27  
28  // negate highly trusted sender domains unless they fail DMARC authentication
29  and (
30    (
31      sender.email.domain.root_domain in $high_trust_sender_root_domains
32      and not headers.auth_summary.dmarc.pass
33    )
34    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35  )
36  and not profile.by_sender().any_false_positives  
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "QR code"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Computer Vision"
45  - "QR code analysis"
46  - "Sender analysis"
47  - "URL analysis"
48id: "8e8949f6-3561-513f-8cde-254124e10cde"