EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand Impersonation: Google (QR Code)

Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
and length(body.current_thread.text) < 1000
and any([subject.subject, sender.display_name, body.current_thread.text],
        regex.icontains(.,
                        '(\b2fa\b|\bQ.?R\.?\s?\b|MFA|Muti[ -]?Factor|(Auth(enticat|e|or|ion))?)'
        )
)
and (
  any(attachments,
      (
        .file_type in $file_types_images
        or .file_type == "pdf"
        or .file_type in~ $file_extensions_macros
      )
      and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
  )
  or any(ml.logo_detect(file.message_screenshot()).brands,
         strings.starts_with(.name, "Google")
  )
)
and any(attachments,
        (
          .file_type in $file_types_images
          or .file_type == "pdf"
          or .file_type in $file_extensions_macros
        )
        and (
          any(file.explode(.),
              regex.icontains(.scan.ocr.raw, 'scan|camera')
              and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
          )
          or any(file.explode(.),
                 .scan.qr.type is not null
                 and regex.contains(.scan.qr.data, '\.')
          )
          or (
            //
            // This rule makes use of a beta feature and is subject to change without notice
            // using the beta feature in custom rules is not suggested until it has been formally released
            //
            beta.parse_exif(file.message_screenshot()).image_height < 2000
            and beta.parse_exif(file.message_screenshot()).image_width < 2000
            and any(beta.scan_qr(file.message_screenshot()).items,
                    .type is not null and regex.contains(.data, '\.')
            )
          )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand Impersonation: Google (QR Code)"
description: "Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(body.current_thread.text) < 1000
  and any([subject.subject, sender.display_name, body.current_thread.text],
          regex.icontains(.,
                          '(\b2fa\b|\bQ.?R\.?\s?\b|MFA|Muti[ -]?Factor|(Auth(enticat|e|or|ion))?)'
          )
  )
  and (
    any(attachments,
        (
          .file_type in $file_types_images
          or .file_type == "pdf"
          or .file_type in~ $file_extensions_macros
        )
        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
    )
    or any(ml.logo_detect(file.message_screenshot()).brands,
           strings.starts_with(.name, "Google")
    )
  )
  and any(attachments,
          (
            .file_type in $file_types_images
            or .file_type == "pdf"
            or .file_type in $file_extensions_macros
          )
          and (
            any(file.explode(.),
                regex.icontains(.scan.ocr.raw, 'scan|camera')
                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
            )
            or any(file.explode(.),
                   .scan.qr.type is not null
                   and regex.contains(.scan.qr.data, '\.')
            )
            or (
              //
              // This rule makes use of a beta feature and is subject to change without notice
              // using the beta feature in custom rules is not suggested until it has been formally released
              //
              beta.parse_exif(file.message_screenshot()).image_height < 2000
              and beta.parse_exif(file.message_screenshot()).image_width < 2000
              and any(beta.scan_qr(file.message_screenshot()).items,
                      .type is not null and regex.contains(.data, '\.')
              )
            )
          )
  )
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and (
        any(distinct(headers.hops, .authentication_results.dmarc is not null),
            strings.ilike(.authentication_results.dmarc, "*fail")
        )
      )
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "PDF"
  - "QR code"
detection_methods:
  - "Computer Vision"
  - "Header analysis"
  - "QR code analysis"
  - "Sender analysis"
id: "7ffd184c-d936-5894-9d5a-cd1fbd105a0d"