High Severity
Brand impersonation: Microsoft (QR code)
Description
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in~ $file_extensions_macros
)
and (
any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
or any(file.explode(.),
// for Office documents
.flavors.mime == "text/xml"
and any(.scan.strings.strings,
regex.icontains(.,
'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
)
)
)
)
)
or any(ml.logo_detect(beta.message_screenshot()).brands,
strings.starts_with(.name, "Microsoft")
)
or (
// limited body length
length(body.current_thread.text) < 300
and any(filter(attachments,
.file_type in $file_types_images
// image attachments that are displayed in the body
// when the content-id is corrected, this will be much more simple
and
(
any(regex.extract(.content_id, '^<(?P<cid>[^\>]+)\>$'),
strings.icontains(body.html.raw,
.named_groups["cid"]
)
)
or strings.icontains(body.html.raw, .content_id)
)
),
// those images contain the wording
any(file.explode(.),
regex.icontains(.scan.ocr.raw,
'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
)
)
)
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
(
(strings.icontains(..scan.qr.data, .email.email))
// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name,
.email.domain.sld
)
)
// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text,
.email.local_part
)
)
// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""
// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
)
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
)
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.domain == "microsoft.com"
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.