High Severity

Attachment: QR code link with base64-encoded recipient address

Labels

Credential Phishing

QR code

Natural Language Understanding

QR code analysis

Sender analysis

Description

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

References

No references.

Sublime Security

Created Feb 25th, 2025 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and 1 of (
  any(ml.nlu_classifier(subject.subject).intents,
      .name == "cred_theft" and .confidence == "high"
  ),
  body.current_thread.text is null,
  any($org_slds, strings.icontains(sender.display_name, .))
)
and any(attachments,
        (
          .file_type in $file_types_images
          or .file_extension in $file_extensions_macros
          or .file_type == "pdf"
        )
        and any(file.explode(.),
                any(recipients.to,
                    .email.domain.valid
                    and any(beta.scan_base64(..scan.qr.url.url,
                                             format="url",
                                             ignore_padding=true
                            ),
                            strings.icontains(., ..email.email)
                    )
                )
        )
)
and not profile.by_sender_email().any_messages_benign
and not profile.by_sender_email().solicited

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.