• Sublime Core Feed
Medium Severity

Attachment: QR code with credential phishing indicators

Labels

Credential Phishing
QR code
Social engineering
Computer Vision
Header analysis
Natural Language Understanding
QR code analysis
Sender analysis
URL analysis
URL screenshot

Description

Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.

References

No references.

Sublime Security
Created Sep 28th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and 1 <= length(attachments) < 3

// Inspects image attachments for QR codes
and any(attachments,
        (.file_type in $file_types_images or .file_type == "pdf")
        and (
          any(file.explode(.),
              .scan.qr.type == "url"
              and (
                // pass the QR URL to LinkAnalysis
                any([ml.link_analysis(.scan.qr.url)],
                    .credphish.disposition == "phishing"

                    // any routing traverses via $suspicious_tld list
                    or any(.redirect_history, .domain.tld in $suspicious_tlds)

                    // effective destination in $suspicious_tld list
                    or .effective_url.domain.tld in $suspicious_tlds

                    // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
                    or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters

                    // or any files downloaded are zips or executables
                    or any(.files_downloaded,
                           .file_extension in $file_extensions_common_archives
                           or .file_extension in $file_extensions_executables
                    )
                )
                or (

                  // or the QR code's root domain is a url_shortener
                  .scan.qr.url.domain.root_domain in $url_shorteners

                  // exclude google maps
                  and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
                  and not strings.starts_with(.scan.qr.url.url, 'https://maps.app.goo.gl')
                )

                // the QR code url is a bing open redirect
                or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
                or (

                  // usap-dc open redirect
                  .scan.qr.url.domain.root_domain == "usap-dc.org"
                  and .scan.qr.url.path =~ "/tracker"
                  and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
                )
              )
          )
        )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Console
View MQL Guide

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started