Medium Severity
Attachment: QR code with credential phishing indicators
Description
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
References
No references.
Sublime Security
Created Sep 28th, 2023 • Last updated Jul 29th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and 1 <= length(attachments) < 3
// Inspects image attachments for QR codes
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(file.explode(.),
.scan.qr.type == "url"
and not .scan.qr.url.domain.domain == "geico.app.link"
and (
// pass the QR URL to LinkAnalysis
any([ml.link_analysis(.scan.qr.url)],
.credphish.disposition == "phishing"
// any routing traverses via $suspicious_tld list
or any(.redirect_history, .domain.tld in $suspicious_tlds)
// effective destination in $suspicious_tld list
or .effective_url.domain.tld in $suspicious_tlds
// or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
// or any files downloaded are zips or executables
or any(.files_downloaded,
.file_extension in $file_extensions_common_archives
or .file_extension in $file_extensions_executables
)
)
or (
// or the QR code's root domain is a url_shortener
.scan.qr.url.domain.root_domain in $url_shorteners
and (
not (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "disclaimer"
)
)
or not any(attachments,
any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "benign"
)
)
)
or (
any(recipients.to,
strings.icontains(..scan.qr.url.url, .email.email)
)
)
)
// exclude google maps
and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
and not strings.starts_with(.scan.qr.url.url, 'https://maps.app.goo.gl')
)
// the QR code url is a bing open redirect
or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
or (
// usap-dc open redirect
.scan.qr.url.domain.root_domain == "usap-dc.org"
and .scan.qr.url.path =~ "/tracker"
and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
)
)
)
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.