EXPLORE
Sign In
← Back to Explore
sublimehighRule

Link: QR code in EML attachment with credential phishing indicators

This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
and length(attachments) == 1
and any(attachments,
        (.content_type == "message/rfc822" or .file_extension =~ "eml")
        // credential theft language in the attached EML
        and any(file.explode(.),
                .depth > 0
                and .scan.qr.type == "url"

                // linkanalysis phishing disposition
                and (
                  ml.link_analysis(.scan.qr.url).credphish.disposition == "phishing"
                  or (
                    strings.ilike(ml.link_analysis(.scan.qr.url).final_dom.display_text,
                                  "*robot*",
                                  "*session check*",
                                  "*verify*",
                                  "*human*"
                    )
                    and length(ml.link_analysis(.scan.qr.url).final_dom.display_text
                    ) < 250
                  )
                  or any(ml.link_analysis(.scan.qr.url).unique_urls_accessed,
                         .domain.domain == "challenges.cloudflare.com"
                         and strings.icontains(.path, "turnstile")
                  )
                  or any(.scan.qr.url.rewrite.encoders,
                         strings.icontains(., "open_redirect")
                  )
                )
                and .scan.qr.url.domain.root_domain not in $org_domains
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: QR code in EML attachment with credential phishing indicators"
description: "This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect. "
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(attachments) == 1
  and any(attachments,
          (.content_type == "message/rfc822" or .file_extension =~ "eml")
          // credential theft language in the attached EML
          and any(file.explode(.),
                  .depth > 0
                  and .scan.qr.type == "url"
  
                  // linkanalysis phishing disposition
                  and (
                    ml.link_analysis(.scan.qr.url).credphish.disposition == "phishing"
                    or (
                      strings.ilike(ml.link_analysis(.scan.qr.url).final_dom.display_text,
                                    "*robot*",
                                    "*session check*",
                                    "*verify*",
                                    "*human*"
                      )
                      and length(ml.link_analysis(.scan.qr.url).final_dom.display_text
                      ) < 250
                    )
                    or any(ml.link_analysis(.scan.qr.url).unique_urls_accessed,
                           .domain.domain == "challenges.cloudflare.com"
                           and strings.icontains(.path, "turnstile")
                    )
                    or any(.scan.qr.url.rewrite.encoders,
                           strings.icontains(., "open_redirect")
                    )
                  )
                  and .scan.qr.url.domain.root_domain not in $org_domains
          )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Open redirect"
  - "QR code"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "File analysis"
  - "QR code analysis"
id: "9908ed3a-4c01-5a8d-82f9-78794b367c6e"