High Severity

QR code to auto-download of a suspicious file type (unsolicited)

Description

A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

References

No references.

Sublime Security
Created Nov 20th, 2024 • Last updated Nov 20th, 2024
Source
type.inbound
and any(file.explode(beta.message_screenshot()),
        any(ml.link_analysis(.scan.qr.url).files_downloaded,
            any(file.explode(.),
                .file_extension in (
                  "dll",
                  "exe",
                  "html",
                  "lnk",
                  "js",
                  "vba",
                  "vbs",
                  "vbe",
                  "bat",
                  "py",
                  "ics",
                  "sh",
                  "ps1"
                )
                or strings.ilike(.file_name, "*.exe")
                or (
                  .file_extension not in ("dll", "exe")
                  and (
                    .flavors.mime in ("application/x-dosexec")
                    or any(.flavors.yara, . in ('mz_file'))
                  )
                )
                or any(.flavors.yara, . == "macho_file")
            )
        )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.