type.inbound
// QR code detection in attachments
and any(attachments,
(
// Office documents
.file_extension in $file_extensions_macros
and any(file.explode(.),
.scan.qr.type == "url"
// QR code URL contains recipient's email (targeting indicator)
and any(recipients.to,
.email.domain.valid
and (
// Plaintext email address in URL
strings.icontains(..scan.qr.url.url, .email.email)
// OR base64 encoded email address
or any(strings.scan_base64(..scan.qr.url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ..email.email)
)
)
)
// URI Struct for Common Kratos/SneakyLog Redir
and regex.contains(.scan.qr.url.url,
'\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
)
)
)
or (
// pdf or images
(
.file_type == "pdf" or .file_type in $file_types_images
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(beta.scan_qr(.).items,
.type is not null
and regex.contains(.url.url,
'\.(?:c(?:ompany|you)|sbs)(?:[$#]|\?a=)'
)
)
)
)
Playground
Test against your own EMLs or sample data.