Medium Severity
Attachment: QR code with credential phishing indicators
Description
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
References
No references.
Sublime Security
Created Sep 28th, 2023 • Last updated Apr 14th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
1 <= length(attachments) < 3
or (
// if there are more than three attachments
3 <= length(attachments) < 20
// there are only pngs and pdf/docx
and length(distinct(map(attachments, .file_extension))) == 2
and all(distinct(map(attachments, .file_extension)),
. in ('png', 'pdf', 'docx')
)
and (
// multiple attachments mention common brands or other common common filenames
(
length(filter(attachments,
strings.icontains(.file_name, 'adobe')
or strings.icontains(.file_name, 'office')
or strings.icontains(.file_name, 'appstore')
or strings.icontains(.file_name, 'google')
or strings.icontains(.file_name, 'padlock')
or regex.icontains(.file_name, '\bdoc\b')
)
) > 3
)
or any(filter(attachments, .file_extension in ('pdf', 'docx')),
any(recipients.to,
strings.icontains(..file_name, .email.domain.sld)
)
)
)
)
)
// Inspects image attachments for QR codes
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_extension in $file_extensions_macros
)
and (
any(file.explode(.),
.scan.qr.type == "url"
and not .scan.qr.url.domain.domain == "geico.app.link"
and (
// pass the QR URL to LinkAnalysis
any([ml.link_analysis(.scan.qr.url)],
.credphish.disposition == "phishing"
// any routing traverses via $suspicious_tld list
or any(.redirect_history, .domain.tld in $suspicious_tlds)
// effective destination in $suspicious_tld list
or .effective_url.domain.tld in $suspicious_tlds
// or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
// or any files downloaded are zips or executables
or any(.files_downloaded,
.file_extension in $file_extensions_common_archives
or .file_extension in $file_extensions_executables
)
)
or (
// or the QR code's root domain is a url_shortener
.scan.qr.url.domain.root_domain in $url_shorteners
and (
not (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "disclaimer"
)
)
or not any(attachments,
any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "benign"
)
)
)
or (
any(recipients.to,
strings.icontains(..scan.qr.url.url, .email.email)
)
)
)
// exclude google maps
and not strings.starts_with(.scan.qr.url.url,
'https://goo.gl/maps'
)
and not strings.starts_with(.scan.qr.url.url,
'https://maps.app.goo.gl'
)
)
// the QR code url is a bing open redirect
or (
.scan.qr.url.domain.root_domain == 'bing.com'
and .scan.qr.url.path =~ '/ck/a'
)
// QR code contains non ascii chars
or regex.contains(.scan.qr.url.url, '[^\x00-\x7F]')
or (
// usap-dc open redirect
.scan.qr.url.domain.root_domain == "usap-dc.org"
and .scan.qr.url.path =~ "/tracker"
and strings.starts_with(.scan.qr.url.query_params,
"type=dataset&url=http"
)
or (
any(recipients.to,
strings.icontains(..scan.qr.url.url, .email.email)
or any(beta.scan_base64(..scan.qr.url.url,
ignore_padding=true
),
strings.icontains(., ..email.email)
)
or any(beta.scan_base64(..scan.qr.url.fragment,
ignore_padding=true
),
strings.icontains(., ..email.email)
)
)
)
)
)
)
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or (
sender.email.domain.domain in $org_domains
and not headers.auth_summary.dmarc.pass
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.