Unicode QR Code

calendar Feb 26, 2025  ·
Share on: linkedin copy

Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation.

Sublime rule (View on GitHub)

 1name: "Unicode QR Code"
 2description: "Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation."
 3type: "rule"
 4severity: "medium"
 5references: 
 6  - "https://gist.github.com/padey/9b366853e305bdeda432c6419fec609a"
 7source: |
 8  type.inbound
 9  // count of the lines ending with and then followed by a unicode block
10  and regex.count(body.current_thread.text,
11                  '[\x{2580}-\x{259F}][^\S\r\n]*[\r\n][^\S\r\n]*[\x{2580}-\x{259F}]'
12  ) > 10
13  // the total number of unicode blocks
14  and regex.count(body.current_thread.text, '[\x{2580}-\x{259F}]') > 150
15  and (
16    profile.by_sender_email().prevalence != "common"
17    or (
18      profile.by_sender_email().any_messages_malicious_or_spam
19      and not profile.by_sender_email().any_false_positives
20    )
21  )  
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Evasion"
26detection_methods:
27  - "Content analysis"
28  - "Sender analysis"
29  - "QR code analysis"
30id: "1a0bdd25-404a-5c42-a85c-dfc09b66cd10"
to-top