• Sublime Core Feed
High Severity

Attachment: QR Code Link With Base64-Encoded Recipient Address

Labels

Credential Phishing
QR code
Image as content
Social engineering
Evasion
PDF
Macros
Computer Vision
File analysis
Natural Language Understanding
QR code analysis
Sender analysis

Description

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

References

No references.

Sublime Security
Created Feb 25th, 2025 • Last updated Mar 27th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and 1 of (
  any(ml.nlu_classifier(subject.subject).intents,
      .name == "cred_theft" and .confidence == "high"
  ),
  body.current_thread.text is null,
  any($org_slds, strings.icontains(sender.display_name, .))
)
and any(attachments,
        (.file_type in $file_types_images or .file_extension in $file_extensions_macros or .file_type == "pdf")
        and any(file.explode(.),
                any(recipients.to,
                    .email.domain.valid
                    and any(beta.scan_base64(..scan.qr.url.url, format="url", ignore_padding=true),
                        strings.icontains(., ..email.email)
                    )
                )
        )
)
and not profile.by_sender_email().any_false_positives
and not profile.by_sender_email().solicited
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started