QR code to auto-download of a suspicious file type (unsolicited)
A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
Sublime rule (View on GitHub)
1name: "QR code to auto-download of a suspicious file type (unsolicited)"
2description: |
3 A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
4
5 Recursively explodes auto-downloaded files within archives to detect these file types.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(file.explode(beta.message_screenshot()),
11 any(ml.link_analysis(.scan.qr.url).files_downloaded,
12 any(file.explode(.),
13 .file_extension in (
14 "dll",
15 "exe",
16 "html",
17 "lnk",
18 "js",
19 "vba",
20 "vbs",
21 "vbe",
22 "bat",
23 "py",
24 "ics",
25 "sh",
26 "ps1"
27 )
28 or strings.ilike(.file_name, "*.exe")
29 or (
30 .file_extension not in ("dll", "exe")
31 and (
32 .flavors.mime in ("application/x-dosexec")
33 or any(.flavors.yara, . in ('mz_file'))
34 )
35 )
36 or any(.flavors.yara, . == "macho_file")
37 )
38 )
39 )
40
41 // negate highly trusted sender domains unless they fail DMARC authentication
42 and (
43 (
44 sender.email.domain.root_domain in $high_trust_sender_root_domains
45 and not headers.auth_summary.dmarc.pass
46 )
47 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48 )
49
50 and (
51 not profile.by_sender().solicited
52 or (
53 profile.by_sender().any_messages_malicious_or_spam
54 and not profile.by_sender().any_false_positives
55 )
56 )
57attack_types:
58 - "Malware/Ransomware"
59tactics_and_techniques:
60 - "Evasion"
61 - "LNK"
62 - "Social engineering"
63detection_methods:
64 - "Archive analysis"
65 - "File analysis"
66 - "Sender analysis"
67 - "URL analysis"
68 - "QR code analysis"
69id: "eed87ea2-fc48-523c-a08a-b1febf53f25b"