← Back to Explore
sublimehighRule
Attachment: QR code with userinfo portion
Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.
Detection Query
type.inbound
and any(attachments,
(
.file_type in $file_types_images
or .file_extension in $file_extensions_macros
or .file_type == "pdf"
)
and any(file.explode(.),
(
.scan.qr.url.username is not null
or .scan.qr.url.password is not null
// keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
.scan.qr.url.url
),
'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
)
)
and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
and not any(recipients.to,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
and not any(recipients.cc,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
// an error to strings.parse_email returns null for the full object
// this cehck ensures that the url is not a valid email address
and strings.parse_email(.scan.qr.url.url).email is null
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: QR code with userinfo portion"
description: "Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_type in $file_types_images
or .file_extension in $file_extensions_macros
or .file_type == "pdf"
)
and any(file.explode(.),
(
.scan.qr.url.username is not null
or .scan.qr.url.password is not null
// keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
.scan.qr.url.url
),
'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
)
)
and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
and not any(recipients.to,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
and not any(recipients.cc,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
// an error to strings.parse_email returns null for the full object
// this cehck ensures that the url is not a valid email address
and strings.parse_email(.scan.qr.url.url).email is null
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Image as content"
- "PDF"
- "QR code"
detection_methods:
- "QR code analysis"
- "File analysis"
- "Sender analysis"
id: "9d62cc5c-787c-5f57-93be-0ee96dc73d3e"