Link: QR code with phishing disposition in img or pdf

calendar Apr 14, 2025  ·
Share on: linkedin copy

This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.

Sublime rule (View on GitHub)

 1name: "Link: QR code with phishing disposition in img or pdf"
 2description: "This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) < 10
 8  and any(attachments,
 9          (.file_type in $file_types_images or .file_type == "pdf")
10          and any(file.explode(.),
11                  .scan.qr.type == "url"
12  
13                  // linkanalysis phishing disposition
14                  and any([ml.link_analysis(.scan.qr.url)],
15                          .credphish.disposition == "phishing"
16                  )
17                  and .scan.qr.url.domain.root_domain not in $org_domains
18          )
19  )
20  and (
21    not profile.by_sender().solicited
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_messages_benign
25    )
26    or (
27      sender.email.domain.domain in $org_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30  )
31  
32  // negate highly trusted sender domains unless they fail DMARC authentication
33  and (
34    (
35      sender.email.domain.root_domain in $high_trust_sender_root_domains
36      and not headers.auth_summary.dmarc.pass
37    )
38    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39  )
40  and (
41      // no messages from this sender email have been marked benign
42      not profile.by_sender_email().any_messages_benign
43      // or it's a spoof of the org_domain
44      or (
45          sender.email.domain.domain in $org_domains
46          and not headers.auth_summary.dmarc.pass
47      )
48  )  
49attack_types:
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "QR code"
53  - "Social engineering"
54detection_methods:
55  - "Content analysis"
56  - "Computer Vision"
57  - "QR code analysis"
58  - "Sender analysis"
59  - "URL analysis"
60id: "8e8949f6-3561-513f-8cde-254124e10cde"
to-top