EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: QR code link with base64-encoded recipient address

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027T1204.002T1059.005
initial-accessdefense-evasionexecution

Detection Query

type.inbound
and 1 of (
  any(ml.nlu_classifier(subject.subject).intents,
      .name == "cred_theft" and .confidence == "high"
  ),
  body.current_thread.text is null,
  any($org_slds, strings.icontains(sender.display_name, .))
)
and any(attachments,
        (
          .file_type in $file_types_images
          or .file_extension in $file_extensions_macros
          or .file_type == "pdf"
        )
        and any(file.explode(.),
                any(recipients.to,
                    .email.domain.valid
                    and any(beta.scan_base64(..scan.qr.url.url,
                                             format="url",
                                             ignore_padding=true
                            ),
                            strings.icontains(., ..email.email)
                    )
                )
        )
)
and not profile.by_sender_email().any_messages_benign
and not profile.by_sender_email().solicited

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: QR code link with base64-encoded recipient address"
description: "Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages."
type: "rule"
severity: "high"
source: |
  type.inbound
  and 1 of (
    any(ml.nlu_classifier(subject.subject).intents,
        .name == "cred_theft" and .confidence == "high"
    ),
    body.current_thread.text is null,
    any($org_slds, strings.icontains(sender.display_name, .))
  )
  and any(attachments,
          (
            .file_type in $file_types_images
            or .file_extension in $file_extensions_macros
            or .file_type == "pdf"
          )
          and any(file.explode(.),
                  any(recipients.to,
                      .email.domain.valid
                      and any(beta.scan_base64(..scan.qr.url.url,
                                               format="url",
                                               ignore_padding=true
                              ),
                              strings.icontains(., ..email.email)
                      )
                  )
          )
  )
  and not profile.by_sender_email().any_messages_benign
  and not profile.by_sender_email().solicited
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "QR code"
  - "Image as content"
  - "Social engineering"
  - "Evasion"
  - "PDF"
  - "Macros"
detection_methods:
  - "Computer Vision"
  - "File analysis"
  - "Natural Language Understanding"
  - "QR code analysis"
  - "Sender analysis"
id: "927a0c1a-f136-56db-acfd-df47db6ec246"