← Back to Explore
sublimehighRule
Attachment: QR code with encoded recipient targeting and redirect indicators
Detects QR codes in attachments that contain the recipient's email address (either plaintext or base64 encoded) and redirect through suspicious URI structures commonly associated with Kratos/SneakyLog redirection services.
Detection Query
type.inbound
// QR code detection in attachments
and any(attachments,
(
// Office documents
.file_extension in $file_extensions_macros
and any(file.explode(.),
.scan.qr.type == "url"
// QR code URL contains recipient's email (targeting indicator)
and any(recipients.to,
.email.domain.valid
and (
// Plaintext email address in URL
strings.icontains(..scan.qr.url.url, .email.email)
// OR base64 encoded email address
or any(strings.scan_base64(..scan.qr.url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ..email.email)
)
)
)
// URI Struct for Common Kratos/SneakyLog Redir
and regex.contains(.scan.qr.url.url,
'\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
)
)
)
or (
// pdf or images
(
.file_type == "pdf" or .file_type in $file_types_images
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(beta.scan_qr(.).items,
.type is not null
and regex.contains(.url.url,
'\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: QR code with encoded recipient targeting and redirect indicators"
description: "Detects QR codes in attachments that contain the recipient's email address (either plaintext or base64 encoded) and redirect through suspicious URI structures commonly associated with Kratos/SneakyLog redirection services."
type: "rule"
severity: "high"
source: |
type.inbound
// QR code detection in attachments
and any(attachments,
(
// Office documents
.file_extension in $file_extensions_macros
and any(file.explode(.),
.scan.qr.type == "url"
// QR code URL contains recipient's email (targeting indicator)
and any(recipients.to,
.email.domain.valid
and (
// Plaintext email address in URL
strings.icontains(..scan.qr.url.url, .email.email)
// OR base64 encoded email address
or any(strings.scan_base64(..scan.qr.url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ..email.email)
)
)
)
// URI Struct for Common Kratos/SneakyLog Redir
and regex.contains(.scan.qr.url.url,
'\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
)
)
)
or (
// pdf or images
(
.file_type == "pdf" or .file_type in $file_types_images
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(beta.scan_qr(.).items,
.type is not null
and regex.contains(.url.url,
'\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "QR code"
- "Evasion"
- "Image as content"
- "Open redirect"
detection_methods:
- "Archive analysis"
- "File analysis"
- "QR code analysis"
- "URL analysis"
id: "5d51e565-ea18-501e-87a6-37cdda705631"