Compensation review with QR code in attached EML

name: "Compensation review with QR code in attached EML"
description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
type: "rule"
severity: "high"
source: |
  type.inbound
  
  // the subject contains pay related items
  and (
    strings.icontains(subject.subject, 'salary')
    or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
    or strings.icontains(subject.subject, 'remuneration')
    or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
    or strings.icontains(subject.subject, 'bonus')
    or strings.icontains(subject.subject, 'incentive')
    or strings.icontains(subject.subject, 'merit')
    or strings.icontains(subject.subject, 'handbook')
    or strings.icontains(subject.subject, 'benefits')
  )
  // subjects include review/updates/changes
  and (
    strings.icontains(subject.subject, 'review')
    or strings.icontains(subject.subject, 'Summary')
    or strings.icontains(subject.subject, 'evaluation')
    or regex.icontains(subject.subject, 'eval\b')
    or strings.icontains(subject.subject, 'assessment')
    or strings.icontains(subject.subject, 'appraisal')
    or strings.icontains(subject.subject, 'feedback')
    or strings.icontains(subject.subject, 'performance')
    or strings.icontains(subject.subject, 'adjustment')
    or strings.icontains(subject.subject, 'statement')
    or strings.icontains(subject.subject, 'increase')
    or strings.icontains(subject.subject, 'raise')
    or strings.icontains(subject.subject, 'change')
    or strings.icontains(subject.subject, 'modification')
    or strings.icontains(subject.subject, 'distribution')
    or strings.icontains(subject.subject, 'Disbursement')
    or regex.icontains(subject.subject, 'revis(?:ed|ion)')
    or regex.icontains(subject.subject, 'amend(?:ed|ment)')
    or strings.icontains(subject.subject, 'update')
  )
  and any(filter(attachments,
                 .content_type == "message/rfc822" or .file_extension in ('eml')
          ),
          // inspect attachments in nested EML
          any(file.parse_eml(.).attachments,
              any(file.explode(.),
                  (
                    regex.icontains(.scan.ocr.raw, 'scan|camera')
                    and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
                  )
                  or .scan.qr.type == "url" and .scan.qr.url.domain.valid
              )
          )
          // inspect nested EML in body.current_thread
          or (
            regex.icontains(file.parse_eml(.).body.current_thread.text,
                            'scan|camera'
            )
            and regex.icontains(file.parse_eml(.).body.current_thread.text,
                                '\bQR\b|Q\.R\.|barcode'
            )
          )
          // or there is a QR code found within the body of the nested body
          or (
            beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).found
            and any(beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)
                    ).items,
                    .type == "url" and .url.domain.valid
            )
          )
  )
  
  // negate instances where proofpoint sends a review of a reported message via analyzer 
  and not (
    sender.email.email == "analyzer@analyzer.securityeducation.com"
    and any(headers.domains, .root_domain == "pphosted.com")
    and headers.auth_summary.spf.pass
    and headers.auth_summary.dmarc.pass
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "QR code"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "Optical Character Recognition"
  - "QR code analysis"
id: "98a2f03c-4bec-556d-af84-709d41819877"