QR code to auto-download of a suspicious file type (unsolicited)

calendar Oct 17, 2025  ·
Share on: linkedin copy

A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

Sublime rule (View on GitHub)

 1name: "QR code to auto-download of a suspicious file type (unsolicited)"
 2description: |
 3  A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
 4
 5  Recursively explodes auto-downloaded files within archives to detect these file types.  
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  //
11  // This rule makes use of a beta feature and is subject to change without notice
12  // using the beta feature in custom rules is not suggested until it has been formally released
13  //
14  and beta.scan_qr(file.message_screenshot()).found
15  and any(beta.scan_qr(file.message_screenshot()).items,
16          any(ml.link_analysis(.url).files_downloaded,
17              strings.ilike(.file_name, "*.exe")
18              or .file_extension in (
19                "dll",
20                "exe",
21                "html",
22                "lnk",
23                "js",
24                "vba",
25                "vbs",
26                "vbe",
27                "bat",
28                "py",
29                "ics",
30                "sh",
31                "ps1"
32              )
33              // or call file.explode to get yara/mime types
34              or any(file.explode(.),
35                     // file ext is not dll but is exe mime/yara
36                     (
37                       .file_extension not in ("dll", "exe")
38                       and (
39                         .flavors.mime in ("application/x-dosexec")
40                         or any(.flavors.yara, . in ('mz_file'))
41                       )
42                     )
43                     // or a macho file
44                     or any(.flavors.yara, . == "macho_file")
45              )
46          )
47  )
48  
49  // negate highly trusted sender domains unless they fail DMARC authentication
50  and (
51    (
52      sender.email.domain.root_domain in $high_trust_sender_root_domains
53      and not headers.auth_summary.dmarc.pass
54    )
55    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56  )
57  and (
58    not profile.by_sender().solicited
59    or (
60      profile.by_sender().any_messages_malicious_or_spam
61      and not profile.by_sender().any_messages_benign
62    )
63  )  
64attack_types:
65  - "Malware/Ransomware"
66tactics_and_techniques:
67  - "Evasion"
68  - "LNK"
69  - "Social engineering"
70detection_methods:
71  - "Archive analysis"
72  - "File analysis"
73  - "Sender analysis"
74  - "URL analysis"
75  - "QR code analysis"
76id: "eed87ea2-fc48-523c-a08a-b1febf53f25b"
to-top