High Severity

Compensation review with QR code in attached EML

Labels

Credential Phishing

QR code

Social engineering

Computer Vision

Content analysis

Optical Character Recognition

QR code analysis

Description

Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.

References

No references.

Sublime Security

Created Apr 3rd, 2025 • Last updated Nov 26th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// the subject contains pay related items
and (
  strings.icontains(subject.subject, 'salary')
  or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
  or strings.icontains(subject.subject, 'remuneration')
  or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
  or strings.icontains(subject.subject, 'bonus')
  or strings.icontains(subject.subject, 'incentive')
  or strings.icontains(subject.subject, 'merit')
  or strings.icontains(subject.subject, 'handbook')
  or strings.icontains(subject.subject, 'benefits')
)
// subjects include review/updates/changes
and (
  strings.icontains(subject.subject, 'review')
  or strings.icontains(subject.subject, 'Summary')
  or strings.icontains(subject.subject, 'evaluation')
  or regex.icontains(subject.subject, 'eval\b')
  or strings.icontains(subject.subject, 'assessment')
  or strings.icontains(subject.subject, 'appraisal')
  or strings.icontains(subject.subject, 'feedback')
  or strings.icontains(subject.subject, 'performance')
  or strings.icontains(subject.subject, 'adjustment')
  or strings.icontains(subject.subject, 'statement')
  or strings.icontains(subject.subject, 'increase')
  or strings.icontains(subject.subject, 'raise')
  or strings.icontains(subject.subject, 'change')
  or strings.icontains(subject.subject, 'modification')
  or strings.icontains(subject.subject, 'distribution')
  or strings.icontains(subject.subject, 'Disbursement')
  or regex.icontains(subject.subject, 'revis(?:ed|ion)')
  or regex.icontains(subject.subject, 'amend(?:ed|ment)')
  or strings.icontains(subject.subject, 'update')
)
and any(filter(attachments,
               .content_type == "message/rfc822" or .file_extension in ('eml')
        ),
        // inspect attachments in nested EML
        any(file.parse_eml(.).attachments,
            any(file.explode(.),
                (
                  regex.icontains(.scan.ocr.raw, 'scan|camera')
                  and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
                )
                or .scan.qr.type == "url" and .scan.qr.url.domain.valid
            )
        )
        // inspect nested EML in body.current_thread
        or (
          regex.icontains(file.parse_eml(.).body.current_thread.text,
                          'scan|camera'
          )
          and regex.icontains(file.parse_eml(.).body.current_thread.text,
                              '\bQR\b|Q\.R\.|barcode'
          )
        )
        // or there is a QR code found within the body of the nested body
        or (
          beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).found
          and any(beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)
                  ).items,
                  .type == "url" and .url.domain.valid
          )
        )
)

// negate instances where proofpoint sends a review of a reported message via analyzer 
and not (
  sender.email.email == "analyzer@analyzer.securityeducation.com"
  and any(headers.domains, .root_domain == "pphosted.com")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.