← Back to Explore
sublimehighRule
QR code to auto-download of a suspicious file type (unsolicited)
A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA. Recursively explodes auto-downloaded files within archives to detect these file types.
Detection Query
type.inbound
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and beta.scan_qr(file.message_screenshot()).found
and any(beta.scan_qr(file.message_screenshot()).items,
any(ml.link_analysis(.url).files_downloaded,
strings.ilike(.file_name, "*.exe")
or .file_extension in (
"dll",
"exe",
"html",
"lnk",
"js",
"vba",
"vbs",
"vbe",
"bat",
"py",
"ics",
"sh",
"ps1"
)
// or call file.explode to get yara/mime types
or any(file.explode(.),
// file ext is not dll but is exe mime/yara
(
.file_extension not in ("dll", "exe")
and (
.flavors.mime in ("application/x-dosexec")
or any(.flavors.yara, . in ('mz_file'))
)
)
// or a macho file
or any(.flavors.yara, . == "macho_file")
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "QR code to auto-download of a suspicious file type (unsolicited)"
description: |
A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
type: "rule"
severity: "high"
source: |
type.inbound
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and beta.scan_qr(file.message_screenshot()).found
and any(beta.scan_qr(file.message_screenshot()).items,
any(ml.link_analysis(.url).files_downloaded,
strings.ilike(.file_name, "*.exe")
or .file_extension in (
"dll",
"exe",
"html",
"lnk",
"js",
"vba",
"vbs",
"vbe",
"bat",
"py",
"ics",
"sh",
"ps1"
)
// or call file.explode to get yara/mime types
or any(file.explode(.),
// file ext is not dll but is exe mime/yara
(
.file_extension not in ("dll", "exe")
and (
.flavors.mime in ("application/x-dosexec")
or any(.flavors.yara, . in ('mz_file'))
)
)
// or a macho file
or any(.flavors.yara, . == "macho_file")
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "LNK"
- "Social engineering"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Sender analysis"
- "URL analysis"
- "QR code analysis"
id: "eed87ea2-fc48-523c-a08a-b1febf53f25b"