EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: SVG files with evasion elements

This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.

MITRE ATT&CK

T1566.001T1204.002T1486T1566T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
and length(attachments) < 4
and any(attachments,
        (
          .file_extension == "svg"
          or .content_type in ("image/svg+xml")
          or .file_type == "svg"
        )
        and any(file.explode(.),
                any(.scan.xml.tags, . == "circle")
                and 1 of (
                  any(.scan.xml.tags, . == "image"),
                  .scan.qr.data is not null,
                  any(recipients.to,
                      strings.icontains(..file_name, .email.local_part)
                  ),
                  any(recipients.to,
                      strings.icontains(..file_name, .email.domain.sld)
                  )
                )
        )
)
and not profile.by_sender_email().any_messages_benign
and not profile.by_sender_email().solicited

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Attachment: SVG files with evasion elements"
description: "This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(attachments) < 4
  and any(attachments,
          (
            .file_extension == "svg"
            or .content_type in ("image/svg+xml")
            or .file_type == "svg"
          )
          and any(file.explode(.),
                  any(.scan.xml.tags, . == "circle")
                  and 1 of (
                    any(.scan.xml.tags, . == "image"),
                    .scan.qr.data is not null,
                    any(recipients.to,
                        strings.icontains(..file_name, .email.local_part)
                    ),
                    any(recipients.to,
                        strings.icontains(..file_name, .email.domain.sld)
                    )
                  )
          )
  )
  and not profile.by_sender_email().any_messages_benign
  and not profile.by_sender_email().solicited
tags:
 - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
tactics_and_techniques:
  - "QR code"
  - "Image as content"
  - "Evasion"
detection_methods:
  - "File analysis"
  - "XML analysis"
  - "QR code analysis"
  - "Sender analysis"
id: "5d2dbb60-d4bd-5231-bc3e-712e1cda865a"