← Back to Explore
sublimemediumRule
Unicode QR code
Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation.
Detection Query
type.inbound
// count of the lines ending with and then followed by a unicode block
and regex.count(body.html.inner_text,
'[\x{2580}-\x{259F}][^\S\r\n]*[\r\n][^\S\r\n]*[\x{2580}-\x{259F}]'
) > 10
// the total number of unicode blocks
and regex.count(body.current_thread.text, '[\x{2580}-\x{259F}]') > 150
and (
profile.by_sender_email().prevalence != "common"
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Unicode QR code"
description: "Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation."
type: "rule"
severity: "medium"
references:
- "https://gist.github.com/padey/9b366853e305bdeda432c6419fec609a"
source: |
type.inbound
// count of the lines ending with and then followed by a unicode block
and regex.count(body.html.inner_text,
'[\x{2580}-\x{259F}][^\S\r\n]*[\r\n][^\S\r\n]*[\x{2580}-\x{259F}]'
) > 10
// the total number of unicode blocks
and regex.count(body.current_thread.text, '[\x{2580}-\x{259F}]') > 150
and (
profile.by_sender_email().prevalence != "common"
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "QR code analysis"
id: "1a0bdd25-404a-5c42-a85c-dfc09b66cd10"