EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: QR code with userinfo portion

Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486T1036T1027
defense-evasion

Detection Query

type.inbound
and any(attachments,
        (
          .file_type in $file_types_images
          or .file_extension in $file_extensions_macros
          or .file_type == "pdf"
        )
        and any(file.explode(.),
                (
                  .scan.qr.url.username is not null
                  or .scan.qr.url.password is not null
                  // keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
                  or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
                                              .scan.qr.url.url
                                     ),
                                     'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
                  )
                )
                and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
                and not any(recipients.to,
                            .email.domain.root_domain == ..scan.qr.url.domain.root_domain
                )
                and not any(recipients.cc,
                            .email.domain.root_domain == ..scan.qr.url.domain.root_domain
                )
        )
)
and not profile.by_sender_email().any_messages_benign
and not profile.by_sender_email().solicited

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Attachment: QR code with userinfo portion"
description: "Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (
            .file_type in $file_types_images
            or .file_extension in $file_extensions_macros
            or .file_type == "pdf"
          )
          and any(file.explode(.),
                  (
                    .scan.qr.url.username is not null
                    or .scan.qr.url.password is not null
                    // keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
                    or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
                                                .scan.qr.url.url
                                       ),
                                       'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
                    )
                  )
                  and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
                  and not any(recipients.to,
                              .email.domain.root_domain == ..scan.qr.url.domain.root_domain
                  )
                  and not any(recipients.cc,
                              .email.domain.root_domain == ..scan.qr.url.domain.root_domain
                  )
          )
  )
  and not profile.by_sender_email().any_messages_benign
  and not profile.by_sender_email().solicited
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Image as content"
  - "PDF"
  - "QR code"
detection_methods:
  - "QR code analysis"
  - "File analysis"
  - "Sender analysis"
id: "9d62cc5c-787c-5f57-93be-0ee96dc73d3e"