• Sublime Core Feed
Medium Severity

Unicode QR Code

Labels

Credential Phishing
Evasion
Content analysis
Sender analysis
QR code analysis

Description

Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation.

References

Sublime Security
Created Feb 26th, 2025 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// count of the lines ending with and then followed by a unicode block
and regex.count(body.current_thread.text,
                '[\x{2580}-\x{259F}][^\S\r\n]*[\r\n][^\S\r\n]*[\x{2580}-\x{259F}]'
) > 10
// the total number of unicode blocks
and regex.count(body.current_thread.text, '[\x{2580}-\x{259F}]') > 150
and (
  profile.by_sender_email().prevalence != "common"
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started