Update qr_code_suspicious_indicators.yml (#916)

sublime-security · Nov 4, 2023 · 7a5138a · 7a5138a
1 parent 7323bab
commit 7a5138a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml
@@ -14,7 +14,7 @@ source: |
                   .scan.qr.type is not null
                   // exclude images taken with mobile cameras and screenshots from android
                   and not any(.scan.exiftool.fields,
-                              .key == "Model"
+                              .key == "Model" or .key == "Megapixels"
                               or .key == "Software" and strings.starts_with(.value, "Android")
                   )
           )
@@ -67,6 +67,7 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: