Low Severity

Attachment: EML with QR code redirecting to Cloudflare challenges

Labels

Credential Phishing
Malware/Ransomware
Evasion
QR code
File analysis
QR code analysis
URL analysis
Archive analysis

Description

Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures.

References

No references.

Sublime Security
Created Apr 1st, 2026 • Last updated Apr 1st, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(attachments,
        // Email Attachments
        any(file.parse_eml(.).attachments,
            (
              // looks for office docs in the attached eml
              .file_extension in $file_extensions_macros
              and any(file.explode(.),
                      .scan.qr.type == "url"
                      and regex.icontains(ml.link_analysis(.scan.qr.url).final_dom.raw,
                                          'challenges\.cloudflare\.com',
                      )
              )
            )
            or (
              // looks for pdfs and images in the attached eml
              //
              // This rule makes use of a beta feature and is subject to change without notice
              // using the beta feature in custom rules is not suggested until it has been formally released
              //
              any(beta.scan_qr(.).items,
                  .type is not null
                  and regex.icontains(ml.link_analysis(.url).final_dom.raw,
                                      'challenges\.cloudflare\.com'
                  )
              )
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started