High Severity
Attachment: QR Code Link With Base64-Encoded Recipient Address
Description
Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.
References
No references.
Sublime Security
Created Feb 25th, 2025 • Last updated Mar 27th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and 1 of (
any(ml.nlu_classifier(subject.subject).intents,
.name == "cred_theft" and .confidence == "high"
),
body.current_thread.text is null,
any($org_slds, strings.icontains(sender.display_name, .))
)
and any(attachments,
(.file_type in $file_types_images or .file_extension in $file_extensions_macros or .file_type == "pdf")
and any(file.explode(.),
any(recipients.to,
.email.domain.valid
and any(beta.scan_base64(..scan.qr.url.url, format="url", ignore_padding=true),
strings.icontains(., ..email.email)
)
)
)
)
and not profile.by_sender_email().any_false_positives
and not profile.by_sender_email().solicited
Playground
Test against your own EMLs or sample data.