Link: QR code with phishing disposition in img or pdf

This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.

Sublime rule (View on GitHub)

 1name: "Link: QR code with phishing disposition in img or pdf"
 2description: "This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) < 10
 8  and any(attachments,
 9          (.file_type in $file_types_images or .file_type == "pdf")
10          and any(file.explode(.),
11                  .scan.qr.type == "url"
12  
13                  // linkanalysis phishing disposition
14                  and any([beta.linkanalysis(.scan.qr.url)],
15                          .credphish.disposition == "phishing"
16                  )
17                  and .scan.qr.url.domain.root_domain not in $org_domains
18          )
19  )
20  and (
21    not profile.by_sender().solicited
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_false_positives
25    )
26  )
27  
28  // negate highly trusted sender domains unless they fail DMARC authentication
29  and (
30    (
31      sender.email.domain.root_domain in $high_trust_sender_root_domains
32      and (
33        any(distinct(headers.hops, .authentication_results.dmarc is not null),
34            strings.ilike(.authentication_results.dmarc, "*fail")
35        )
36      )
37    )
38    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39  )
40  and not profile.by_sender().any_false_positives  
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "QR code"
45  - "Social engineering"
46detection_methods:
47  - "Content analysis"
48  - "Computer Vision"
49  - "QR code analysis"
50  - "Sender analysis"
51  - "URL analysis"
52id: "8e8949f6-3561-513f-8cde-254124e10cde"
to-top