← Back to Explore
sublimehighRule
Attachment: Compensation review lure with QR code
Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.
Detection Query
type.inbound
and (
(
length(attachments) == 1
and any(attachments,
.content_type == "application/pdf" or .file_type == "pdf"
)
)
and (
// short or null message body
(
length(body.current_thread.text) < 500 or body.current_thread.text is null
)
// ignore disclaimers in body length calculation
or (
any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "disclaimer"
),
.text
),
(length(body.current_thread.text) - length(.)) < 500
)
)
)
)
and (
// attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
any(attachments,
// add conditions for pdf attachment
(
regex.icontains(.file_name,
'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
)
// recipient email SLD in filename
or any(recipients.to,
strings.icontains(..file_name, .email.domain.sld)
and .email.domain.valid
)
)
// add conditions for text and any QR code within the pdf attachment
and (
// conditions for QR code via text
any(file.explode(.),
any([.scan.strings.raw, .scan.ocr.raw],
regex.icontains(., 'scan|camera')
and regex.icontains(., '\bQR\b|Q\.R\.|barcode')
)
)
or any(file.explode(.),
.scan.qr.type == "url" and .scan.qr.url.domain.valid
)
)
// conditions for text
and any(file.explode(.),
// review/change terms in file content
any([.scan.strings.raw, .scan.ocr.raw],
(
regex.icontains(.,
'\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (?:increment|deduction))\b'
)
)
)
or (
// recipient local_part in attachment body
any(recipients.to,
strings.contains(..scan.ocr.raw, .email.local_part)
)
and (
// NLU cred_theft disposition
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
// suspicious topics
and any(ml.nlu_classifier(.scan.ocr.raw).topics,
.name in (
"Benefit Enrollment",
"Financial Communications"
)
and .confidence != "low"
)
)
)
)
)
)
and (
not profile.by_sender_email().solicited
or not profile.by_sender_email().any_messages_benign
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
// account for spoofed sender domains
or (
sender.email.domain.domain in $org_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Compensation review lure with QR code"
description: "Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders."
type: "rule"
severity: "high"
source: |
type.inbound
and (
(
length(attachments) == 1
and any(attachments,
.content_type == "application/pdf" or .file_type == "pdf"
)
)
and (
// short or null message body
(
length(body.current_thread.text) < 500 or body.current_thread.text is null
)
// ignore disclaimers in body length calculation
or (
any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "disclaimer"
),
.text
),
(length(body.current_thread.text) - length(.)) < 500
)
)
)
)
and (
// attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
any(attachments,
// add conditions for pdf attachment
(
regex.icontains(.file_name,
'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
)
// recipient email SLD in filename
or any(recipients.to,
strings.icontains(..file_name, .email.domain.sld)
and .email.domain.valid
)
)
// add conditions for text and any QR code within the pdf attachment
and (
// conditions for QR code via text
any(file.explode(.),
any([.scan.strings.raw, .scan.ocr.raw],
regex.icontains(., 'scan|camera')
and regex.icontains(., '\bQR\b|Q\.R\.|barcode')
)
)
or any(file.explode(.),
.scan.qr.type == "url" and .scan.qr.url.domain.valid
)
)
// conditions for text
and any(file.explode(.),
// review/change terms in file content
any([.scan.strings.raw, .scan.ocr.raw],
(
regex.icontains(.,
'\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (?:increment|deduction))\b'
)
)
)
or (
// recipient local_part in attachment body
any(recipients.to,
strings.contains(..scan.ocr.raw, .email.local_part)
)
and (
// NLU cred_theft disposition
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
// suspicious topics
and any(ml.nlu_classifier(.scan.ocr.raw).topics,
.name in (
"Benefit Enrollment",
"Financial Communications"
)
and .confidence != "low"
)
)
)
)
)
)
and (
not profile.by_sender_email().solicited
or not profile.by_sender_email().any_messages_benign
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
// account for spoofed sender domains
or (
sender.email.domain.domain in $org_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "QR code"
- "Social engineering"
detection_methods:
- "File analysis"
- "Optical Character Recognition"
- "QR code analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "Header analysis"
id: "9fd8185c-e2a7-50d0-895d-9f6b1a1c43ab"