Link: QR Code with suspicious language (untrusted sender)

calendar Apr 14, 2025  ·
Share on: linkedin copy

This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, the rule is conditioned to check the image for any suspicious terms.

Sublime rule (View on GitHub)

 1name: "Link: QR Code with suspicious language (untrusted sender)"
 2description: |
 3  This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains.
 4  Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies,
 5  the rule is conditioned to check the image for any suspicious terms.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  
11  // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
12  // and length(attachments) < 10
13  and any(attachments,
14          (.file_type in $file_types_images or .file_type == "pdf")
15          and any(file.explode(.),
16                  .scan.qr.type == "url"
17  
18                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains
19                  and (
20                    any(recipients.to,
21                        .email.domain.valid
22                        and (
23                          strings.icontains(..scan.qr.data, .email.email)
24                          or (
25                            // recipient email found in qr data base64 encoded
26                            any(beta.scan_base64(..scan.qr.data, format="url"),
27                                strings.icontains(., ..email.email)
28                            )
29                          )
30                        )
31                    )
32                    and .scan.qr.url.domain.root_domain not in $org_domains
33                  )
34          )
35  )
36  
37  // NLU has identified cred_theft language with high confidence
38  and (
39    any(ml.nlu_classifier(body.current_thread.text).intents,
40        .name == "cred_theft" and .confidence == "high"
41    )
42    or 
43    // the attachment contains suspicious strings
44    (
45      any(attachments,
46          (.file_type in $file_types_images or .file_type == "pdf")
47          and any(file.explode(.),
48                  any(.scan.strings.strings,
49                      regex.icontains(.,
50                                      '(\b2fa\b|\bQ.?R\.?\s?\b|MFA|Muti[ -]?Factor Auth(entication)?)'
51                      )
52                  )
53          )
54      )
55    )
56  )
57  and (
58    profile.by_sender().prevalence in ("new", "outlier")
59    or (
60      profile.by_sender().any_messages_malicious_or_spam
61      and not profile.by_sender().any_false_positives
62    )
63    or (
64      sender.email.domain.domain in $org_domains
65      and not headers.auth_summary.dmarc.pass
66    )
67  )
68  
69  // negate highly trusted sender domains unless they fail DMARC authentication
70  and (
71    (
72      sender.email.domain.root_domain in $high_trust_sender_root_domains
73      and not headers.auth_summary.dmarc.pass
74    )
75    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76  )  
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Impersonation: Brand"
81  - "QR code"
82  - "Social engineering"
83detection_methods:
84  - "Content analysis"
85  - "Computer Vision"
86  - "Natural Language Understanding"
87  - "QR code analysis"
88  - "Sender analysis"
89  - "URL analysis"
90id: "25a84d1c-9578-53e3-98a7-ca9b43abb28b"
to-top