High Severity
Attachment: QR Code With Userinfo Portion
Description
Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.
References
No references.
Sublime Security
Created Feb 21st, 2025 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
.file_type in $file_types_images
or .file_extension in $file_extensions_macros
or .file_type == "pdf"
)
and any(file.explode(.),
(
.scan.qr.url.username is not null
or .scan.qr.url.password is not null
// keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
.scan.qr.url.url
),
'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
)
)
and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
and not any(recipients.to,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
and not any(recipients.cc,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
)
)
and not profile.by_sender_email().any_messages_benign
and not profile.by_sender_email().solicited
Playground
Test against your own EMLs or sample data.